KWKirchner
Enthusiast
Enthusiast

VMRC Permissions Voodoo - Limiting Console Access Based on AD Group and VM Folder

Jump to solution

We are permitting administrators access to the console of their VM's using VMRC. Our Unix admins get access to their VM's, and Windows admins likewise, but they should not have the ability to access each others consoles.

We have set up a "VMRC Console" role and have permitted only "Virtual machine/Interaction/Console Interaction" for this role. When we apply this role to the AD user group for Unix admins (for example) on the ESXi host objects, they are not able to connect unless we set the propagate option. When we do that, they now have access to ALL consoles, not just theirs.  As soon as we uncheck the propagate, they can only see their VM's again, but cannot access the consoles.

What is the secret sauce here to limit them to their own consoles? I can see why this is happening, but I was hoping the VM Folder permissions would have limited their access. Apparently the Host permissions are overriding the VM Folder permissions (and that's not surprising, really).

0 Kudos
1 Solution

Accepted Solutions
CQuartetti
Hot Shot
Hot Shot

There is currently no provision to limit access to a single console as you desire. Work is in progress to address this in a future release with changes to vSphere/ESXi/etc. and VMRC.

View solution in original post

0 Kudos
2 Replies
CQuartetti
Hot Shot
Hot Shot

There is currently no provision to limit access to a single console as you desire. Work is in progress to address this in a future release with changes to vSphere/ESXi/etc. and VMRC.

View solution in original post

0 Kudos
Goatie
Enthusiast
Enthusiast

We've had the same problem. The only way I've found around it is:

Create two roles:

Host Access > Don't tick any permissions, this is read only > Assign to AD Security group: VM_HostAccess > Assign this to the Host Cluster object

VM - Console Only > Tick the console access role permissions > Assign to AD Security groups for each VM > Assign this to each VM or VM Folder

Either make each user a member of the VM_HostAccess security group or make each of the per-VM security Groups a member of that group.

That grants the client the ability to connect to the Host, but not see anyone's VMs until they are a member of the second group.

Hope that makes sense!

Cheers

Steve

0 Kudos