I have configured an AD user account only to have full 'Administrator' (propogate ticked) to a resource pool, this user however does not have full rights, ie. cannot create a VM etc within the Resource Pool.

Did you create a custom security role in virtual center and assign your AD account to it ?

without the security roles it's not working, you can also use existing security roles..

I used the Administrator security role on the Resource Pool, however that AD account doesn't have sufficient permissions.

maybe something went wrong when you added the account to virtualcenter..

quickly tested your setup and we have no problems at all with it..

1) i created a normal user account without any special previlegis.. just default.

2) i added this AD account to virtualCenter at the highest level with Administartor Role.

3) removed the default administartors group from virtual center

4) now i login to virtualcenetr with the new account.. and i have still all the rights available

did you add your AD account by just specifying domain/user ? see screenshots

That is exacly what I've done to enable the AD account 'virtualcentre' Administrator rights over one Resource Pool.

However the account cannot even create or power on any VMs, let alone anything else.

There is a bug in VC, and assigning specific permissions lower level in the tree structure sometimes fails. try granting a read only role to the user at the top level and see if that fixes it.

at what level did you added the account with administrative role? with my test i added the account (to the third level "ESX cluster 1")

Host & Clusters >Datacenter>ESX cluster 1

could be a good point of John

I'm not sure its a bug.

A user requires read-only at the root (non-propogate) should they need to use prior defined Customizations.

A user requires read-only at the Data Center should they need to browse datastores to search for an ISO image.

A user requires sufficient permissions at a Folder (under Virtual Machines & Templates) should they need to create VMs. Assigning permissions only at the RP level (under Hosts & Clusters) is not sufficient.

This is occuring with VC 2.5, so may be a bug in VC2.5, however -

You should be able to permission any Resource Pool with any AD/User/Group using any VC Role, and hey presto on the fly, done.

Without needing even 'Read Only' on the DC/Cluster or anywhere else, just the default Administrator role on any object and done.

We have an older 2.0 farm I will, compare and post shortly.

I have seen this before, needed to play with the server's local security policy to enable non windows Administrators to have child object access, but this was with VC2.0 around 8 months ago at a dirrerent site.

Hello,

Roles and permissions are not top down. You cannot assign a more restrictive role above a less restrictive role. If you do that the less restrictive role applies. Also, the local administrator is your only hope of recovery in this case.

Now a few other things, assigning permissions to a Resource Pool does NOT necessarily assign permissions to Virtual Machines. Remember you need to assign the permissions to the object that controls those permissions. Resource Pool permissions apply only to resource related items. If you want VM related items you should assign those same permissions under the VIrtual Machine and Templates Inventory VIew.

My Host and Clusters and Virtual Machine And Template views mimic each other. Where there is a resource pool I place a folder. Most if NOT all my permissions are on the Virtual Machine and Template folder. If they need resource pool perms as well I place them on the resource pool.

Again the permissions you want say power on or off a VM should be on the object that controls that permission. In this case the VM folder and not a resource pool. Roles and Permissions can be very simple or very complex but they are always confusing and counter-intuitive. For example, you really only want to place the perm on the object and nothing above it. So if I have:

Datacenter->Folder->VM

I would place the VM only perm on the VM not the folder. If I have a folder level perm it would be on the Folder. There is no need to place anything on any other object.

Also, the Local Administrator is your only hope of fixing some R&P issues as it is always the Administrator. Unless you changed that as well, if so then you may not be able to fix the issue.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Hi Texiwill,

I have found today after a bit of non production play time, indeed Read Only at Hosts & Clusters root is not needed.

The minimum needed to assign i.e. 'Virtual Machine Administrator' role only to a Resource Pool, can be achieved as follows -

Hosts & Clusters

I am certain that in VC2.0 that above was not needed, a Role could be assigned to a Resource Pool and this automatically enabled the Role elsewhere!?!?

Hello,

Hosts & Clusters <none specified/needed>

Datacenter <Read Only, propagate un-ticked>

Cluster <Read Only, propagate ticked>

I do not use the above. I just set on the folder as you do below. It implies everything above is non-accessible.

Folder <Virtual Machine Adminstrator, propagate ticked> Same name as Resource Pool name.

Other Folder(s) <No Access> to remove from view if required/needed.

If the folders are below the folder mentioned above then this is necessary otherwise it is not. This is because you placed Read Only above the folder where you want to place the access.

Resource Pool <Virtual Machine Adminstrator, propagate ticked>

->VM <new VMs will receive access via propagation from Resource Pool>

I tend not to do the above unless DRS is in use, then you need to as Resource Pools control where the VM is placed.

I am certain that in VC2.0 that above was not needed, a Role could be assigned to a Resource Pool and this automatically enabled the Role elsewhere!?!?

I always found it was needed mainly because if you do not do it the above method then webAccess interprets the permissions differently which affects any scripting tool you use, etc.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

I am certain that in VC2.0 that above was not needed, a Role could be assigned to a Resource Pool and this automatically enabled the Role elsewhere!?!?

While there were a few minor changes between 2.0 & 2.5 permissions, the implementation requirements referenced in this thread were similar between those versions. I don't believe the Cluster RO privilege is necessary, otherwise the users assigned that permission set will see resources they may not need to.