VMware Cloud Community
Dr_Virt
Hot Shot
Hot Shot
‎10-05-2020 07:35 AM
Jump to solution

Content Library Configuration

Has anyone figured out how to give a vCenter consumer access to the Content Libraries without full vCenter privileges?

We have use cases were consumers can login to vCenter and only see their Resource Pools, Folders, Templates, Networks, Storage. But, to allow them to consume the Content Library for vAPPs, ISOs, etc. seems to only be possible if we make the entire vCenter inventory visible.

Have tried to implement only Content Library permissions in a specific global role, but this for some reason makes all of the vCenter inventory visible.

1 Solution

Accepted Solutions
Dr_Virt
Hot Shot
Hot Shot
‎10-06-2020 05:28 AM
Jump to solution

Okay, finally got it all to work.

1) Create role with permissions to read and add to the content library.

2) Apply to Global with apply to chlidren option for AD user group.

3) Create role with permissions to deploy and manage virtual machines.

4) Apply No Access role with apply to children to each vCenter for AD user group.

5) Apply manage virtual machines role to specific resources (resource pool, folder, network, vsan, etc.)

Now when users are added to group in AD, they can login to vCenter and only see their resource pool, folders, networks, etc. while still being able to use the Content Library for approved ISOs and templates.

View solution in original post

4 Replies
Lalegre
Virtuoso
Virtuoso
‎10-05-2020 11:04 PM
Jump to solution

Hey Dr.Virt

You need to apply the permissions over the Library object. Of course if you want the users to also create libraries and delete them, then you will need to give permissions onto the vCenter level: Content Library Privileges

0 Kudos
joeflint
Enthusiast
Enthusiast
‎10-06-2020 01:08 AM
Jump to solution

Hi, you need to create a 'separate' role for Content Libray and apply as a 'GLOBAL' permission.

Items such as TAGs and Content Library are global permission.

In summary have one role for Content Library and another for as per your requirement.

I did same and it works

0 Kudos
nachogonzalez
Commander
Commander
‎10-06-2020 05:11 AM
Jump to solution

Hey, hope you are doing fine, maybe this graph will clarify ow permissions are assigned on content libraries, it helped me a lot:

pastedImage_3.png

Source: Hierarchical Inheritance of Permissions for Content Libraries  

Blog Nachogonzalez.com.ar Twitter @nachogon_
0 Kudos
Dr_Virt
Hot Shot
Hot Shot
‎10-06-2020 05:28 AM
Jump to solution

Okay, finally got it all to work.

1) Create role with permissions to read and add to the content library.

2) Apply to Global with apply to chlidren option for AD user group.

3) Create role with permissions to deploy and manage virtual machines.

4) Apply No Access role with apply to children to each vCenter for AD user group.

5) Apply manage virtual machines role to specific resources (resource pool, folder, network, vsan, etc.)

Now when users are added to group in AD, they can login to vCenter and only see their resource pool, folders, networks, etc. while still being able to use the Content Library for approved ISOs and templates.