I have VC 2.0.1 running with several 3.0.1 ESX boxes under it. Each ESX box has several VM's. If I want to grant web access to one VM individually, what is the best way to do it?
It seems that only a root account can logon the the ESX box itself (not VC) in Web Access, so I do not want to have to create a root account for someone to administer one VM.
I have read many post regarding web access, but I am still unclear.
Thanks in advance
In VC, open the permissions tab for that single vm and add/grant vm administrator permissions for the user you want to have access to the vm. When they log into VC or the web console they will only get access to that single VM.
Message was edited by:
conradsia
In addition, if you want to go further into it you could create a more granular role than administrator. Go to the 'Admin' section of VC and under the 'Roles' tab you could create a new one for whatever you want. I do this to prevent virtual hardware changes, etc....
Once you get the permissions done, log into the web interface and then you can copy the direct web link to the VM and send it to the user...
In VC you simply right click on the VM/Resource Group and select 'Add Permission' permissions are propagated down by default. Apply user accounts from there and specify their individual permisions. Once the newly permisioned user logs into the VC ip from a browser he will only be able to do what you have specified.
If you loginto a host's IP the user account won't have access at all (even after doing the above), you can set up local accounts on individual esx hosts, however when you vmotion VMs around that would get messy the permissions on a per host basis are not granular only: Read-Only, Administartor and No-Access.
I hope this answers your question.
Hi,
The easiest way would be to log on Virtual Center Webservice, and selecting the targeted VM, and generate a unique access URL. (don't remember the real name but it's something like "Generate unique web access url")
Then to access that "specified" VM just use the given url. (works nicely)
Hope this helps,
Regards.
The Generate random console URL is usefull, however you have to permission it for individuals in the same way as already stated.
when you click on e.g.
It still needs authentication.
thanks everyone for the responses
I have set a user to have 'No Access' to the entire data center, but allowed 'VM User' access to the one specific VM. It worked because the permissions at the individual object level can supercede the global permission. (I also used this to hide our Nexus switches from myself so I never accidentally power cycle them!)