NickKeene
Contributor
Contributor

VCenter permission propogation to new datastores

Good day all,

I would like to open this question by stating that I am by no means an expert (or even very good) on VCenter or VSphere and am entirely self taught so I may be using terms incorrectly or misunderstand answers and I would like to ask for forgiveness up front.

On to my question.

Background:

I have been tasked with coming up with a solution for the following. A client is wanting to use a shared Center cluster as a DR site, they do not own or manage the Center cluster and I do not work for the company that owns or manages the cluster. There are other (non-related) customers VMs running on the cluster as well.

The software used (Acronis Cyber Backup - VMware virtual appliance) allows the customer to run a VM from a backup archive and it works well. Normally, the customer would own the VMware infrastructure or have complete access and control over it so permissions propagation is not an issue. However as this is a shared environment we cannot have access non-related systems.

To resolve this we have created a Resource Pool and a unique user (Backup User) with the permissions over the Resource Pool and the datastores and vNICs required applied to the agent (worker), and it allows  permissions inheritance to its children. This works perfectly for a normal restore however, using instant restore fails. This is because the instant restore feature, creates and mounts a temporary NFS datastore to the host/cluster and because the agent permissions are limited to the Resource Pool the new (temporary) datastore does not inherit the permissions.

Question:

My question is, is there any way I can set permissions for my Backup User to be granted permissions to this new datastore automatically? 

I would greatly appreciate any assistance and guidance. I will answer any questions as best I can.

Thank you for your help.

Nick

0 Kudos
6 Replies
scott28tt
VMware Employee
VMware Employee

You'll need to understand whereabout in your Datastores inventory view the "temporary NFS datastore" appears, and grant some permissions on the parent object of the datastore:

vSphere Managed Inventory Objects

Datastore Privileges

A general comment: Resource Pools are NOT just folders - they also impact compute resource sharing and scheduling:

Managing Resource Pools

0 Kudos
NickKeene
Contributor
Contributor

Thank you Scott,

The temporary datastore appears in the root of the datastore view. Directly under "Datacenter". I am not sure if I can grant permissions to all datastores at the "Datacenter" level while also not giving permissions to all the VMs as well? I will go through the section of the docs you shared.

Also thank you for the information on the Resource Pool, I am not fully aware of the impacts and will research, my understanding is that limiting the resources is preferable so it may be perfect. We are not recovering from one VMware infrastructure to another, this is DR for physical hosts hosted on the customers sites.

0 Kudos
scott28tt
VMware Employee
VMware Employee

So you'll need to assign some of the datastore-specific privileges at the Datacenter level.

Does the vendor not have any documentation that tells you the privileges and permissions needed?

0 Kudos
NickKeene
Contributor
Contributor

Thank you for all your effort and assistance Scott, I appreciate it.

I have read that article and created a user with the specific permissions. My confusion comes in here: I need to limit that user's permissions to specific VMs and any new VMs that are created using the Acronis virtual agent.

Currently, if I restore a VM using my specific backup user attached to my Acronis virtual appliance the new VMs do not inherit that user as a permitted user. I have set this users permissions to not propagate to the children as I do not want all VMs to be accessible.

So I basically need a user that can do the following:

  1. Access only certain VMs - this I can do by apply permissions directly to the VM
  2. Allow this user to create virtual machines and have that new VM inherit permissions of that user without allowing that user permission over all VMs.
  3. Access all datastores - can do this by applying permissions to existing datastores directly
  4. Have permissions automatically apply to newly created datastores - This I do not know how to do - if its even possible.

Essentially, I need permission propagation to apply to specific portions (like datastores) and not all VMs and Networks.

Is this idea possible? I will double check my permissions as its more likely than not that I have messed something up.

Thank you again.

0 Kudos
scott28tt
VMware Employee
VMware Employee

As you'll see in the references I posted earlier, there are specific privileges associated with different types of objects and those objects live in different hierarchies underneath a Datacenter represented by the inventory views.

This gives you a great example: (taken from Required Privileges for Common Tasks)

Screenshot 2020-06-11 at 15.33.44.png

That combination of privileges is just to create a VM, there would be different privileges for powering on a VM, for migrating a VM, and so on...

I've dealt with item 4 in this thread already - you now know the parent object of your temporary NFS datastore, the same principle would apply to any other datastores.

Be careful with item 2 - VMs inherit permissions of their parent objects (datacenter, cluster, host, resource pool, folder)

0 Kudos