I've actually starting to have a lot of fun with this whole ESX thing. One snag I'm still hitting though is with permissions. I want to give a specfic user permissions only on his VMs. The docs I'm reading indicate that I can put his VMs in a resource pool (good idea anyway), and then add permissions at the resource pool level.
The problem is that I don't seem to have that option. According to everything I'm reading, I should just be able to right-click the resource pool and select Add permissions, but it's not even in the menu.
The ability to assign permissions to a specific VM was removed from ESX 3.5 so you won't be able to do that with a stand alone ESX host. You would have to deploy VirtualCenter to be able to do that.
Correct, without vc, you can't assign permissions at that level. You'll have to assign at the host level. With VC, you have more flexibility and can assign permissions at other levels.
Why was this removed in 3.5? The ability to assign permissions at a resource pool and virtual machine level without VC was there in ESX 3.0 and 3.2.
What are customers that only have one or a small number of ESX hosts supposed to do? Shell out for Virtual Center just so they can do what they were able to do in 3.2?
If you need this functionality then I suggest you open a support case with your VMware Support Representative. That would be the proper way to get what you need back in. However, you may be able to use the Virtual Machine and Template View and apply the permissions to folders?
Edward L. Haletky
VMware Communities User Moderator
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Thanks for the suggestion. I'll raise this with VMware.
"you may be able to use the Virtual Machine and Template View and apply the permission to folders"
I'm not sure, but is that also only in Virtual Center? I can't see it in standalone ESX, and as far as I know standard ESX has no concept of templates or folders. Just virtual machines and resource pools.
Under "Assigning Access Permissions" (on page 275):
The objects that can have permissions assigned to them are:
In VirtualCenter – Folders, datacenters, clusters, resource pools, hosts, virtual achines
In ESX Server – Resource pools, the host, virtual machines
So either the function is "broken" in the new version, or the documentation is wrong. (VMware should fix one or the other - I would prefer that the missing function be restored.)
I encountered the same thing in Update 2 and have opened an SR with VMware on the issue. More to come when I hear back from them - probably not until next week.
Apparently they did intentionally remove it, which makes me really mad. I did a search in the KB and returned an article that said that they removed it "by design" and that the feature "may" be restored in some "future" version of the software. That future version really needs to come very quickly.
> I did a search in the KB and returned an article that said that they removed it "by design"
So if you login as root, you can't change the permissions either? I would have to say, this is what MS does, they take features away without first making sure people AREN'T still utilizing them.. So I would agree you should be a little ticked, that features you were using are no longer available..
Only on the host - not on the pools or VMs. Guess they figured they could push VC a little bit better if they rolled back a few of the features that people did use and then push you to VC when you request it. I've also contacted my local reseller and expressed my disgust over the matter to them. I'm a small enough installation (don't spend enough $$ with them to begin with) that I'm not real optimistic that I'm actually going to be heard in halls of VMware on this issue, but I'll push all the buttons I can find to let them know how unhappy I am about this.
Can anyone please double-check if it works with the VI-Client from the VC (maybe with the trial) with direct connection to the ESX?
In my test environment I've the permissions tabs with the VC VI-Client.
Any further information on this? Are VMware actually thinking it will be THIS that tips the scale for buying VC? I'm starting to strafe in the other direction if this is how they do marketing...