VMware Cloud Community
tomsmig
Contributor
Contributor
‎05-19-2021 02:16 PM

Assigning permissions

We would like to assign permissions for group (useres ar in vsphere.local domain) to allow members of this group to create, import (from ovf or from content library) and modify VMs only in specified:
- cluster or resource pool (hosts and cluster view),
- folder (VMs and templates view),
- datastore (Datastore View),
and assign only specified networks to VM's created by those users.

Those users must not see vms, hosts, clusters, datastores, networks, etc. other than they are allowed to.
They must not see VMs created by users uside this group and they must not see resources other than they are allowed to use.
Assiging permissions should be done not at the SSO level, but on vCenter or lower levels.
How can we achieve that?

Reply
0 Kudos
4 Replies
scott28tt
VMware Employee
VMware Employee
‎05-20-2021 01:01 AM

Specifically the part about them not seeing VMs created by other users, do you mean in the same folder as the VMs they create themselves?

If so, I don't think you can do that natively.

The rest should be achievable I think - just be granular on the objects you do want them to have access to: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-4D0F8E63-2961-4B7...

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
tomsmig
Contributor
Contributor
‎05-24-2021 03:08 AM

@scott28ttthanks for reply.

I meant they should not be able to see hosts and VMs in "Hosts and Clusters"  view.
Partially I can achieve this by creating resource pool for them, bu that is just no very good workaround.

 

--
Best regards,
Tom

 

 

 

 

Reply
0 Kudos
scott28tt
VMware Employee
VMware Employee
‎05-24-2021 05:07 AM

So you'll need a combination of some of the tasks in that previous link I posted (eg. create a VM, power on a VM, install a guest OS), and just be very specific on which highest-level objects you assign the various permissions.

I would definitely suggest having a test user account, it may take a bit of trial and error to get it working exactly how you want.

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
tomsmig
Contributor
Contributor
‎05-24-2021 05:14 AM

That is right. I'll go ahead with expanded privileges and do some tests on dummy user account.

Thanks.

 

Reply
0 Kudos