VMware Cloud Community
PascalLaroche
Contributor
Contributor

Restric acces to ressources

Hi,

We are setting up vcops 5.0.2 to monitor our infrastructure. For some users, we want to give them the same access that they alredy have in their vSphere client. We do not want them to saw all the tree of our infrastructure. For example, user1 see only Cluster1 in is vSphere Client, we want him to see only things related to Cluster1 in vcops.

We are wondering if it's something that we can do?

Does anybody know?

Thanks for your help. Smiley Happy

Reply
0 Kudos
8 Replies
Alexander_Dimi1
Hot Shot
Hot Shot

Hi,

Are you refering to vcops-vsphere UI or vcops-custom UI?

For vcops-vsphere UI you should be able to see only the objects you have at least read permissions (setup in the VI Client) for.

Reply
0 Kudos
PascalLaroche
Contributor
Contributor

Hi Alexander,

Thanks for your answer.

I am refering to vcops-vsphere UI.

I know i am supposed to see only what i have read acces to in vSphere. I did some testing and it won't work. I will do more testing and came back with the results here.

Thanks again for your help.

Reply
0 Kudos
PascalLaroche
Contributor
Contributor

Hi all,

Sory for the delay. I did more testing on this isssue and find out how to give acces to specific ressources.

Here is a bit more details on my lab environnement :

I have 3 clusters :

Cluster1

Cluster2

Cluster3

On each cluster i have 2 ESXi hosts.

My vcops config :

An admin user for the registration user and read only user for the Collector user. The collector user has read only at the top of the tree. (The vCenter itself)

Now i want that 3 users can acces only their respective cluster on vcops-vsphere UI. So i create 3 users and give them the vcops user role on their cluster.

User1 as vcops user access to Cluster1

User2 as vcops user access to Cluster2

User3 as vcops user access to Cluster3

When i try to log in with those users, i have this error message : User not authorized.

So i give the vcops user acces role for my 3 users at the top of the tree (vCenter) and do not propagate the permission. My users ca now logged in and see their specific cluster.

I did not do a lot of testing on what they can see, but it looks good.

Is it a good way of doing it?

Reply
0 Kudos
ServiceOptimi
Hot Shot
Hot Shot

Can views be restricted in custom ui on enterprise vapp5?

Reply
0 Kudos
FGShepherdP10
Enthusiast
Enthusiast

I'm not sure if this will answer your specific question, but I can tell you what our experience with Permissions/Roles was like.

We wanted to give more granular access to certain clusters to various groups/teams, but found that No One could log into vCenter Ops when we tried that.

We then created a simple "vCenter Ops - User" Role with only the "vCenter Ops - User" permission, and applied it at the Root of our vCenter.  At that point, anyone who was added to that group was able to see vCenter Ops data.  Of course, that was across our entire environment.  To mask specific clusters, I suppose you could apply a "No Access" role to the objects you want to hide..?

The bottom line of what I'm trying to say is that it seems, from my experience, that you have to Allow Access globally at the Root of vCenter before any restrictions can be applied at the layers below.

Reply
0 Kudos
ServiceOptimi
Hot Shot
Hot Shot

Sounds like the custom ui doesnt have any better granular permissioning than the vsphere UI. thats too bad, because I understood it had granular permissions. My goal is to restrict access to adapters by user groups. Thanks for the reply.

Reply
0 Kudos
PascalLaroche
Contributor
Contributor

@FGShepherdP10,

First of all, thanks for your answer!

From my experiences, we do not need to apply a no access permission, we juste have to not propagate the role at the vCenter level, and the user will not have access to other resources.

The things we would love to avoid, is to give them access at the vCenter Level. When we give them access at this level, we can see everything related to the vcenter. And if you dig a bit, you can find a lot of information.

We will do some testing with the custom-ui and i will share my results here!

Thanks everyone for helping! Smiley Happy

Reply
0 Kudos
FGShepherdP10
Enthusiast
Enthusiast

That makes a lot of sense.  If you have some success with dialing this in, please re-post...Maybe VMware will use the info to bake it into the next version!

Reply
0 Kudos