VMware Cloud Community
mfinkler
Contributor
Contributor
‎03-13-2023 06:39 AM
Jump to solution

Group for single VM

Hi,

 

I want to delegate access-rights to some users, so that they can access the vCenter and manage "their" vms. But I don't want to give the right to a user directly, instead I want to user AD-groups.

 

So here is my idea:

- one group to access vsphere (works fine)

- for every single VM, I will create a AD group. The group can access the machine, the user who needs the VM, will be member in the group. Also with the group there will be local admin-rights.

 

 

And here is the problem.

The dark pictures are the admin, the white ones are the user.

I added a AD group to access the vCenter, the user, who is member of the group can login. He can't see any VM.

vcenter01.pngvcenter02.png

 

I added the group "<domain>\ADMIN_SERVER_<MACHINENAME> on the VM itself and put the user in the ad group, but the user can't see the machine. I already waited some time. 

vcenter03.pngvcenter02.png

 

But if I add the user to the VM directly, he can do the things, he is supposed to do.

vcenter04.pngvcenter05.png

 

Has somebody a possible solution for that behavior? 

 

Kind regards

Michael

Reply
0 Kudos
1 Solution

Accepted Solutions
Lalegre
Virtuoso
Virtuoso
‎03-13-2023 07:22 AM
Jump to solution

@mfinkler,

Quick question, I have seen this issue is fixed by using Active Directory over LDAP instead of IWA as Identity Source. Which one are you using right now?

View solution in original post

Reply
0 Kudos
5 Replies
Lalegre
Virtuoso
Virtuoso
‎03-13-2023 07:22 AM
Jump to solution

@mfinkler,

Quick question, I have seen this issue is fixed by using Active Directory over LDAP instead of IWA as Identity Source. Which one are you using right now?

Reply
0 Kudos
mfinkler
Contributor
Contributor
‎03-13-2023 09:19 AM
Jump to solution

Hi @Lalegre 

 

indeed we are using IWA, so I will change to Active Directory over LDAP and test again.

Thank you!

 

 

Reply
0 Kudos
mfinkler
Contributor
Contributor
‎03-14-2023 01:26 AM
Jump to solution

unfortunately I can't test it today, because every time i add LDAP, I get an error:

Check the network settings and make sure you have network access to the identity source.

 

After looking for the cause of this, I found to remove the authentication source first - two entries for the same domain is not allowed.

I will test it tomorrow

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso
‎03-14-2023 07:35 AM
Jump to solution

@mfinkler,

Yes, indeed you cannot have the same name for the same domain, and also, if you are using LDAPs you will need port 636 to be allowed + the certificate on the Identity Source.


Remember to take a snapshot 😁

Reply
0 Kudos
mfinkler
Contributor
Contributor
‎03-15-2023 01:24 AM
Jump to solution

@Lalegre 

 

Snapshot, sure 😁

After deleting IWA I could add Active Directory over LDAP.

 

Now the user can see "his" VM.

Thank you very much!

Reply