I need to provide access to a couple VMs in our vSphere environment to a user via VMware Workstation 9.0.2, but experiencing issues doing so.
There are 3 VMs in a folder under VMs and Templates that this user needs basic access to (start, stop, console). I first tried assigning the Virtual machine user (sample) role to the user on the folder that contains these VMs (with Propagate), but when trying to access any of them from Workstation as this user, I receive the error Permission to perform this operation was denied. I even tried assigning the Administrator role for this user to this folder and received the same error.
I then assigned the Virtual machine user (sample) and then later the Administrator role directly to the VMs, but when attempting to connect through Workstation I get this error with either role (I've attached the log file it references):
After clicking OK, Workstation crashes and I then get this error:
The only way I've successfully been able to get this user access is by adding the user to the vCenter Server local Administrators group, but after doing this, the user has full access to all VMs. I should also mention that Im able to access the VM with the basic functions assigned through vSphere web client without issue with the above permissions assigned as this user.
Does anyone know whats required to provide the limited access via Workstation I'm looking for?
Thanks!
Figured it out!
First, for each VM you want to grant access to, add the user/group with the assigned role you want to grant them. The additional step required for access from Workstation is, for each Host the VMs you granted access to are on, you must also add the user/group and assign the Read-only role making sure to uncheck Propagate to child objects.
So this is similar to the thread referenced earlier, but saves from having to explicitly revoke access to every other VM on the host. So now, when I connect as the user I was testing with, I can connect to vCenter via Workstation, only see the VMs Ive applied the custom roles to and, most importantly, can connect to them without issue!
It also seems as though even though Workstation prompts to assign the necessary Read-only permission to the host it actually doesn't do a thing.
Thanks a bunch for all the help everyone.... especially ShadyMalatawey. If I wouldn't have seen that prompt in Workstation to apply the permission it would have taken a lot longer to figure out.
Hi,
if i read your post correct, you have a vCenter Server right? If so, why are you not creating a Rule in vCenter and assign the needed permissions to that group.
After that, you could map a AD Group or User to that Rule and add it to the VM´s that you wan´t to share.
Frank
Hi..
Tell me if i understood correctly, u have a user (X) who wants to (Power On/OFF, Console) permissions on some VMs.
u assigned VM user role to X on these VMs and when he tries to access these VMs using workstation 9 it refuses giving this log right..?!?!
Can you take a look at this post if it can help...
http://communities.vmware.com/thread/425245?start=0&tstart=0
Else I found this KB that states it's under investigation issue..
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=204332...
Waiting for further comments...
Mabe I understand your question wrong. But tell me why do you want to use the workstation. Use the web client is you have a running vcenter on which the vm's are running.
Frank
Am 19.07.2013 um 15:32 schrieb ShadyMalatawey <communities-emailer@vmware.com<mailto:communities-emailer@vmware.com>>:
VMware Communities<http://communities.vmware.com/index.jspa>
What permissions are required for VMware Workstation access?
created by ShadyMalatawey<http://communities.vmware.com/people/ShadyMalatawey> in VMware vCenter™ - View the full discussion<http://communities.vmware.com/message/2266491#2266491>
JimKnopf99 wrote:
Hi,
if i read your post correct, you have a vCenter Server right? If so, why are you not creating a Rule in vCenter and assign the needed permissions to that group.
After that, you could map a AD Group or User to that Rule and add it to the VM´s that you wan´t to share.
Frank
Sorry, I guess I overcomplicated my explanation because these steps are exactly what I did with the only difference being I mapped to an AD user and not an AD group.
ShadyMalatawey wrote:
Hi..
Tell me if i understood correctly, u have a user (X) who wants to (Power On/OFF, Console) permissions on some VMs.
u assigned VM user role to X on these VMs and when he tries to access these VMs using workstation 9 it refuses giving this log right..?!?!
Exactly, with user X being an AD account.
ShadyMalatawey wrote:
Can you take a look at this post if it can help...
http://communities.vmware.com/thread/425245?start=0&tstart=0
Else I found this KB that states it's under investigation issue..http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=204332...
Waiting for further comments...
If I read that thread right, the last post is saying he granted read permissions to the top level data center than for every single VM the user shouldn't have access to, explicitly set "no permission access"? Im really hoping theres an alternative as there are only 3 of nearly 70 VMs on the datacenter this user needs access to and that would be extremely tedious not to mention having to remember to add that to ever new VM manually as they are created.
As for the KB, I did see that, but honestly don't understand what it means when it says "add the user account configured in vSphere to the host machine running Workstation". The user in question here is an AD user account and is the account the user is logged into the host machine running Workstation. What more would be needed?
JimKnopf99 wrote:
Mabe I understand your question wrong. But tell me why do you want to use the workstation. Use the web client is you have a running vcenter on which the vm's are running.
Frank
I realize this is an option, and in case it wasn't obvious in my original post, this does in fact work - with both the web client and normal vSphere client. Unfortunately even with limiting access to the few VMs the users should have access to, the vSphere clients are more complex (for these novice users at least) and require several additional steps to get to the console and manage snapshots when compared to Workstation. Also, these users have been using Workstation for some time and already have it installed so I was really hoping to leverage what theyre already used to.
On an unrelated note, is it possible to do multi-quotes in a single reply? If so, sorry for the multiple replies!
For the KB.. It states that it's an issue to do any operation to VMs in a Workstation with a user assigned using vsphere client..
I find that nearly it's ur case..ur X user is a AD user with permissions set using vsphere client on ur datacenter..
and u want to use it on Workstation..
What about if you tried to create a user role using workstation itself (I didn't try it before)..??
ShadyMalatawey wrote:
For the KB.. It states that it's an issue to do any operation to VMs in a Workstation with a user assigned using vsphere client..
I find that nearly it's ur case..ur X user is a AD user with permissions set using vsphere client on ur datacenter..
and u want to use it on Workstation..
What about if you tried to create a user role using workstation itself (I didn't try it before)..??
Not sure I follow you. What do you mean by "create a user role using workstation itself"?
I'm trying to search now if u can make users roles using workstation itself.. similar to vsphere client but on Workstation
check this if it can help..
Page 189, 190
http://www.vmware.com/pdf/desktop/ws90-using.pdf
ShadyMalatawey wrote:
check this if it can help..
Page 189, 190
So, following this document, I connected to vSphere from VMware Workstation on the host Im testing with. I created a new role through it (cloned Virtual machine user (sample) role) and then selected a VM > Manage > Permissions, added the domain user and assigned the new role. After clicking okay I received an additional prompt that had me hopeful!
I hit Assign Permissions, logged out and logged in via Workstation as that user... I saw the one VM I provided access to, but as soon as I clicked on it, I unfortunately received the following error similar to above (attached the log file it references):
Shoot.
I should also note, that I logged into vSphere client and I see no additional permissions on the host for this user, so Im wondering if Workstation is actually made any changes at all.
Any other suggestions here?
in the log file I found this:
C:\Users\tim.graffam\AppData\Roaming\VMware\config.ini": The system cannot find the file specified
can u check on this post:
http://communities.vmware.com/thread/393269?start=0&tstart=0
else, try to follow this long KB
I hope it works
I'm asking u a favour if it worked.. some points from helpful answers or correct answers mark
Figured it out!
First, for each VM you want to grant access to, add the user/group with the assigned role you want to grant them. The additional step required for access from Workstation is, for each Host the VMs you granted access to are on, you must also add the user/group and assign the Read-only role making sure to uncheck Propagate to child objects.
So this is similar to the thread referenced earlier, but saves from having to explicitly revoke access to every other VM on the host. So now, when I connect as the user I was testing with, I can connect to vCenter via Workstation, only see the VMs Ive applied the custom roles to and, most importantly, can connect to them without issue!
It also seems as though even though Workstation prompts to assign the necessary Read-only permission to the host it actually doesn't do a thing.
Thanks a bunch for all the help everyone.... especially ShadyMalatawey. If I wouldn't have seen that prompt in Workstation to apply the permission it would have taken a lot longer to figure out.
Congratulations buddy
I wish I was a nice hand and thx for points
Just one last thing: What u did is that u assigned that test user the permissions u want on every VM u want and read permission to the HOST itself without (Propagte to child) using workstation itself, right..???!
ShadyMalatawey wrote:
Congratulations buddy
I wish I was a nice hand and thx for pointsJust one last thing: What u did is that u assigned that test user the permissions u want on every VM u want and read permission to the HOST itself without (Propagte to child) using workstation itself, right..???!
Exactly. Ill update my last post to be a bit clearer on that.