VMware Cloud Community
Eire09
Enthusiast
Enthusiast
‎05-01-2009 08:23 AM
Jump to solution

Permission's for individual VM's (Best Practice)

Hi,

I've a VM that I want to give a user access to through VI client. However I only want this user to have access to this VM. Is it possible to setup permission's so that when a user logs into VI client the only VM's they see are the ones they've been assigned permissions too?

As always I'd appreciate some help with this guys.

Cheers,

Pedro.

Reply
0 Kudos
1 Solution

Accepted Solutions
sweater
Enthusiast
Enthusiast
‎05-01-2009 08:42 AM
Jump to solution

Is this a vCenter setup or standalone ESX server? Either way, you can set all the other VMs to no access for that user account, then specifically apply read-only, read-write, etc permissions for the single VM that you want them to see. If you're only using ESX authentication, keep in mind that this account is only made on the ESX server itself - one of the benefits of using vCenter and AD authentication is that you can just add that user's AD account to the permissions on the host.

They log into the VI client and will only see that VM - test first with their credentials.

- mike

View solution in original post

Reply
0 Kudos
3 Replies
sweater
Enthusiast
Enthusiast
‎05-01-2009 08:42 AM
Jump to solution

Is this a vCenter setup or standalone ESX server? Either way, you can set all the other VMs to no access for that user account, then specifically apply read-only, read-write, etc permissions for the single VM that you want them to see. If you're only using ESX authentication, keep in mind that this account is only made on the ESX server itself - one of the benefits of using vCenter and AD authentication is that you can just add that user's AD account to the permissions on the host.

They log into the VI client and will only see that VM - test first with their credentials.

- mike

Reply
0 Kudos
Eire09
Enthusiast
Enthusiast
‎05-01-2009 08:44 AM
Jump to solution

Yeah, I'm using vCenter. I've two hosts in a cluster so will go with the AD authentication route as advised.

Thanks for your reply. 10 points coming your way

Reply
0 Kudos
sweater
Enthusiast
Enthusiast
‎05-01-2009 09:18 AM
Jump to solution

Thanks, yo. Smiley Wink

One thing to consider when adding this user to have access to that VM, then: try adding them to an existing role on the ESX server (such as read-only) and pay close attention to what that role can do. For instance, some of the roles jump from basically being able to do nothing to being able to manipulate snapshots - no bueno when that user might not understand what the consequences are for keeping 4 snapshots running for the next 6 months, right? I had to create a role from an existing one to remove that ability, but retain the abilty to revert to a snapshot without being able to create or delete snapshots. Pretty easy. Lots of options

If you need, copy a role and modify it as you see fit, naming it descriptively. Then, either add that specific user to the role or (better yet) add an AD group to that role if you plan on being able to offer this access to additional users. Simply right-click the VM, choose Add Permission... and apply that AD group to the VM, being careful to apply that role to a higher folder/whatever in vCenter. Keep in mind you can apply permissions to entire groups of VMs this way - doubl-check your resulting permissions by checking another VM.

- mike

Reply