VMware Cloud Community
ajdelo
Contributor
Contributor

Permission/Role question using ESX 3 without Virtual Center.

I seem to be having a problem locking down my Virtual Machines in ESX. I am not using AD integration since I only have 1 ESX 3 server and no Virtual Center with only about 30 users. I am the only VMware administrator and my account has root permissions. Everyone else I assign a user account to should have the ability to view only the Virtual Machines of the projects they are working on.

I have created a role "VM User" which grants VM Interaction, VM State, and Alarm priveledges only. I then create different project groups (i.e. project1, project2, ...). I add users to the individual project group and then add that project group to the permissions tab of the individual VM that is a part of that project with the VM Admin role I created. However, my users can see and manage all VM's on that server.

Is this some type of propagation issue or can I not even do this in VMware?

Reply
0 Kudos
3 Replies
ajdelo
Contributor
Contributor

I am answering my own question since it was related to propagation.

Reply
0 Kudos
Diplomat
Contributor
Contributor

I'd be interested in knowing how you set things up as I'm running into the same problem. Could you post how you set things up and where within the Infrastructure 3 software?

Thanks

Reply
0 Kudos
ajdelo
Contributor
Contributor

Sorry it took so long, but I just realized you replied to my message. I'm not sure if you got the issue resolved, but basically what I did is the following:

After following the steps for creating the project groups, user accounts, and VM Admin role, I assigned the project group VMAdmin role for the particular virtual machine I wanted to grant access to. What was happening though is this permission gets granted to the host server and propogates down. All I did was then go to the Permissions tab of the server itself and deselect the "Propogate" tab and then remove the group account from the host permissions tab. The user account still has its permissions on the virtual machines.

Hope this helps.

Reply
0 Kudos