vCenter NoAccess not affecting PowerCLI

Marco_2_G · ‎09-14-2017

Hello everyone

I am having a serious issue. We are running a dedicated vSphere environment for a customer. We have created a management resource pool for our vms (SRM, vCenter, PSC and so on) and put the datastores and network into folders on which we set NoAccess to the customers admin and backup groups.

In webclient that works well.

However, the client noticed he is able to backup our vms as well. Upon further inspection, I learned that I can use a restricted user to normally browse our management datastore and list the vms in it.

I seem to be missing some fundamental knowledge here. Do I have to edit an independent set of permissions for PowerCLI?

Regards and thanks,

MArco

LucD · ‎09-14-2017

No, PowerCLI has no permissions, it purely relies on the ones set on the vCenter.

Did you already try setting the NoAccess on the root folder?

You can get that with

$rootFolder = Get-Folder -Name Datacenters

Also note that there are 4 types of folders (Host & Cluster, VM & Template, Storage, Network).
You will have to set permissions on all 4 of these.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

All

vCenter NoAccess not affecting PowerCLI