VMware Cloud Community
timofcourse
Enthusiast
Enthusiast
‎07-17-2013 05:31 AM
Jump to solution

What permissions are required for VMware Workstation access?

I need to provide access to a couple VMs in our vSphere environment to a user via VMware Workstation 9.0.2, but experiencing issues doing so.

There are 3 VMs in a folder under VMs and Templates that this user needs basic access to (start, stop, console). I first tried assigning the Virtual machine user (sample) role to the user on the folder that contains these VMs (with Propagate), but when trying to access any of them from Workstation as this user, I receive the error Permission to perform this operation was denied. I even tried assigning the Administrator role for this user to this folder and received the same error.

I then assigned the Virtual machine user (sample) and then later the Administrator role directly to the VMs, but when attempting to connect through Workstation I get this error with either role (I've attached the log file it references):

VMware error 1.PNG

After clicking OK, Workstation crashes and I then get this error:

VMware error 2.PNG

The only way I've successfully been able to get this user access is by adding the user to the vCenter Server local Administrators group, but after doing this, the user has full access to all VMs. I should also mention that Im able to access the VM with the basic functions assigned through vSphere web client without issue with the above permissions assigned as this user.

Does anyone know whats required to provide the limited access via Workstation I'm looking for?

Thanks!

vmware-ui-1924.log
1 Solution

Accepted Solutions
timofcourse
Enthusiast
Enthusiast
‎07-23-2013 07:00 AM
Jump to solution

Figured it out!


First, for each VM you want to grant access to, add the user/group with the assigned role you want to grant them. The additional step required for access from Workstation is, for each Host the VMs you granted access to are on, you must also add the user/group and assign the Read-only role making sure to uncheck Propagate to child objects.

So this is similar to the thread referenced earlier, but saves from having to explicitly revoke access to every other VM on the host. So now, when I connect as the user I was testing with, I can connect to vCenter via Workstation, only see the VMs Ive applied the custom roles to and, most importantly, can connect to them without issue!


It also seems as though even though Workstation prompts to assign the necessary Read-only permission to the host it actually doesn't do a thing.

Thanks a bunch for all the help everyone.... especially ShadyMalatawey. If I wouldn't have seen that prompt in Workstation to apply the permission it would have taken a lot longer to figure out.

View solution in original post

16 Replies
JimKnopf99
Commander
Commander
‎07-19-2013 04:20 AM
Jump to solution

Hi,

if i read your post correct, you have a vCenter Server right? If so, why are you not creating a Rule in vCenter and assign the needed permissions to that group.

After that, you could map a AD Group or User to that Rule and add it to the VM´s that you wan´t to share.

Frank

If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
ShadyMalatawey
Enthusiast
Enthusiast
‎07-19-2013 06:31 AM
Jump to solution

Hi..

Tell me if i understood correctly, u have a user (X) who wants to (Power On/OFF, Console) permissions on some VMs.
u assigned VM user role to X on these VMs and when he tries to access these VMs using workstation 9 it refuses giving this log right..?!?!

Sincerely, Shady Ali El-Malatawey MCITP: Virtualization Administration 2008 VCP5-DCV/DT --- VCAP5-DCA/DCD @ShadyMalatawey https://virtualpharaohs.com
0 Kudos
ShadyMalatawey
Enthusiast
Enthusiast
‎07-19-2013 06:37 AM
Jump to solution

Can you take a look at this post if it can help...

http://communities.vmware.com/thread/425245?start=0&tstart=0


Else I found this KB that states it's under investigation issue..

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=204332...

Waiting for further comments...

Sincerely, Shady Ali El-Malatawey MCITP: Virtualization Administration 2008 VCP5-DCV/DT --- VCAP5-DCA/DCD @ShadyMalatawey https://virtualpharaohs.com
JimKnopf99
Commander
Commander
‎07-19-2013 06:43 AM
Jump to solution

Mabe I understand your question wrong. But tell me why do you want to use the workstation. Use the web client is you have a running vcenter on which the vm's are running.

Frank

Am 19.07.2013 um 15:32 schrieb ShadyMalatawey <communities-emailer@vmware.com<mailto:communities-emailer@vmware.com>>:

VMware Communities<http://communities.vmware.com/index.jspa>

What permissions are required for VMware Workstation access?

created by ShadyMalatawey<http://communities.vmware.com/people/ShadyMalatawey> in VMware vCenter™ - View the full discussion<http://communities.vmware.com/message/2266491#2266491>

If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
timofcourse
Enthusiast
Enthusiast
‎07-19-2013 08:24 AM
Jump to solution

JimKnopf99 wrote:

Hi,

if i read your post correct, you have a vCenter Server right? If so, why are you not creating a Rule in vCenter and assign the needed permissions to that group.

After that, you could map a AD Group or User to that Rule and add it to the VM´s that you wan´t to share.

Frank

Sorry, I guess I overcomplicated my explanation because these steps are exactly what I did with the only difference being I mapped to an AD user and not an AD group.

0 Kudos
timofcourse
Enthusiast
Enthusiast
‎07-19-2013 08:30 AM
Jump to solution

ShadyMalatawey wrote:

Hi..

Tell me if i understood correctly, u have a user (X) who wants to (Power On/OFF, Console) permissions on some VMs.
u assigned VM user role to X on these VMs and when he tries to access these VMs using workstation 9 it refuses giving this log right..?!?!

Exactly, with user X being an AD account.

ShadyMalatawey wrote:

Can you take a look at this post if it can help...

http://communities.vmware.com/thread/425245?start=0&tstart=0


Else I found this KB that states it's under investigation issue..

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=204332...

Waiting for further comments...

If I read that thread right, the last post is saying he granted read permissions to the top level data center than for every single VM the user shouldn't have access to, explicitly set "no permission access"? Im really hoping theres an alternative as there are only 3 of nearly 70 VMs on the datacenter this user needs access to and that would be extremely tedious not to mention having to remember to add that to ever new VM manually as they are created.

As for the KB, I did see that, but honestly don't understand what it means when it says "add the user account configured in vSphere to the host machine running Workstation". The user in question here is an AD user account and is the account the user is logged into the host machine running Workstation. What more would be needed?

0 Kudos
timofcourse
Enthusiast
Enthusiast
‎07-19-2013 08:35 AM
Jump to solution

JimKnopf99 wrote:

Mabe I understand your question wrong. But tell me why do you want to use the workstation. Use the web client is you have a running vcenter on which the vm's are running.

Frank

I realize this is an option, and in case it wasn't obvious in my original post, this does in fact work - with both the web client and normal vSphere client. Unfortunately even with limiting access to the few VMs the users should have access to, the vSphere clients are more complex (for these novice users at least) and require several additional steps to get to the console and manage snapshots when compared to Workstation. Also, these users have been using Workstation for some time and already have it installed so I was really hoping to leverage what theyre already used to.

On an unrelated note, is it possible to do multi-quotes in a single reply? If so, sorry for the multiple replies!

0 Kudos
ShadyMalatawey
Enthusiast
Enthusiast
‎07-19-2013 11:13 AM
Jump to solution

For the KB.. It states that it's an issue to do any operation to VMs in a Workstation with a user assigned using vsphere client..
I find that nearly it's ur case..ur X user is a AD user with permissions set using vsphere client on ur datacenter..
and u want to use it on Workstation..
What about if you tried to create a user role using workstation itself (I didn't try it before)..??

Sincerely, Shady Ali El-Malatawey MCITP: Virtualization Administration 2008 VCP5-DCV/DT --- VCAP5-DCA/DCD @ShadyMalatawey https://virtualpharaohs.com
0 Kudos
timofcourse
Enthusiast
Enthusiast
‎07-19-2013 12:23 PM
Jump to solution

ShadyMalatawey wrote:

For the KB.. It states that it's an issue to do any operation to VMs in a Workstation with a user assigned using vsphere client..
I find that nearly it's ur case..ur X user is a AD user with permissions set using vsphere client on ur datacenter..
and u want to use it on Workstation..
What about if you tried to create a user role using workstation itself (I didn't try it before)..??

Not sure I follow you. What do you mean by "create a user role using workstation itself"?

0 Kudos
ShadyMalatawey
Enthusiast
Enthusiast
‎07-19-2013 12:41 PM
Jump to solution

I'm trying to search now if u can make users roles using workstation itself.. similar to vsphere client but on Workstation

Sincerely, Shady Ali El-Malatawey MCITP: Virtualization Administration 2008 VCP5-DCV/DT --- VCAP5-DCA/DCD @ShadyMalatawey https://virtualpharaohs.com
0 Kudos
ShadyMalatawey
Enthusiast
Enthusiast
‎07-19-2013 12:44 PM
Jump to solution

check this if it can help..
Page 189, 190

http://www.vmware.com/pdf/desktop/ws90-using.pdf

Sincerely, Shady Ali El-Malatawey MCITP: Virtualization Administration 2008 VCP5-DCV/DT --- VCAP5-DCA/DCD @ShadyMalatawey https://virtualpharaohs.com
timofcourse
Enthusiast
Enthusiast
‎07-23-2013 06:37 AM
Jump to solution

ShadyMalatawey wrote:

check this if it can help..
Page 189, 190

http://www.vmware.com/pdf/desktop/ws90-using.pdf

So, following this document, I connected to vSphere from VMware Workstation on the host Im testing with. I created a new role through it (cloned Virtual machine user (sample) role) and then selected a VM > Manage > Permissions, added the domain user and assigned the new role. After clicking okay I received an additional prompt that had me hopeful!

VMware prompt2.png

I hit Assign Permissions, logged out and logged in via Workstation as that user... I saw the one VM I provided access to, but as soon as I clicked on it, I unfortunately received the following error similar to above (attached the log file it references):

VMware error 3.PNG

Shoot.

I should also note, that I logged into vSphere client and I see no additional permissions on the host for this user, so Im wondering if Workstation is actually made any changes at all.

Any other suggestions here?

vmware-ui-10488.log
0 Kudos
ShadyMalatawey
Enthusiast
Enthusiast
‎07-23-2013 06:58 AM
Jump to solution

in the log file I found this:

C:\Users\tim.graffam\AppData\Roaming\VMware\config.ini": The system cannot find the file specified

can u check on this post:

http://communities.vmware.com/thread/393269?start=0&tstart=0


else, try to follow this long KB


http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=100848...


I hope it works Smiley Happy
I'm asking u a favour if it worked.. some points from helpful answers or correct answers mark Smiley Happy


Sincerely, Shady Ali El-Malatawey MCITP: Virtualization Administration 2008 VCP5-DCV/DT --- VCAP5-DCA/DCD @ShadyMalatawey https://virtualpharaohs.com
0 Kudos
timofcourse
Enthusiast
Enthusiast
‎07-23-2013 07:00 AM
Jump to solution

Figured it out!


First, for each VM you want to grant access to, add the user/group with the assigned role you want to grant them. The additional step required for access from Workstation is, for each Host the VMs you granted access to are on, you must also add the user/group and assign the Read-only role making sure to uncheck Propagate to child objects.

So this is similar to the thread referenced earlier, but saves from having to explicitly revoke access to every other VM on the host. So now, when I connect as the user I was testing with, I can connect to vCenter via Workstation, only see the VMs Ive applied the custom roles to and, most importantly, can connect to them without issue!


It also seems as though even though Workstation prompts to assign the necessary Read-only permission to the host it actually doesn't do a thing.

Thanks a bunch for all the help everyone.... especially ShadyMalatawey. If I wouldn't have seen that prompt in Workstation to apply the permission it would have taken a lot longer to figure out.

ShadyMalatawey
Enthusiast
Enthusiast
‎07-23-2013 07:10 AM
Jump to solution

Congratulations buddy Smiley Happy
I wish I was a nice hand and thx for points Smiley Happy

Just one last thing: What u did is that u assigned that test user the permissions u want on every VM u want and read permission to the HOST itself without (Propagte to child) using workstation itself, right..???!

Sincerely, Shady Ali El-Malatawey MCITP: Virtualization Administration 2008 VCP5-DCV/DT --- VCAP5-DCA/DCD @ShadyMalatawey https://virtualpharaohs.com
0 Kudos
timofcourse
Enthusiast
Enthusiast
‎07-23-2013 07:29 AM
Jump to solution

ShadyMalatawey wrote:

Congratulations buddy Smiley Happy
I wish I was a nice hand and thx for points Smiley Happy

Just one last thing: What u did is that u assigned that test user the permissions u want on every VM u want and read permission to the HOST itself without (Propagte to child) using workstation itself, right..???!

Exactly. Ill update my last post to be a bit clearer on that.

0 Kudos