We would like to assign permissions for group (useres ar in vsphere.local domain) to allow members of this group to create, import (from ovf or from content library) and modify VMs only in specified:
- cluster or resource pool (hosts and cluster view),
- folder (VMs and templates view),
- datastore (Datastore View),
and assign only specified networks to VM's created by those users.
Those users must not see vms, hosts, clusters, datastores, networks, etc. other than they are allowed to.
They must not see VMs created by users uside this group and they must not see resources other than they are allowed to use.
Assiging permissions should be done not at the SSO level, but on vCenter or lower levels.
How can we achieve that?
Specifically the part about them not seeing VMs created by other users, do you mean in the same folder as the VMs they create themselves?
If so, I don't think you can do that natively.
The rest should be achievable I think - just be granular on the objects you do want them to have access to: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-4D0F8E63-2961-4B7...
@scott28ttthanks for reply.
I meant they should not be able to see hosts and VMs in "Hosts and Clusters" view.
Partially I can achieve this by creating resource pool for them, bu that is just no very good workaround.
So you'll need a combination of some of the tasks in that previous link I posted (eg. create a VM, power on a VM, install a guest OS), and just be very specific on which highest-level objects you assign the various permissions.
I would definitely suggest having a test user account, it may take a bit of trial and error to get it working exactly how you want.