stephenmbell
Enthusiast
Enthusiast

Restricting where vm's can be created

Hello all,

I've been trying to wrap my head around this for some time now and I just can't figure out how to make it work the way I would like.  I am being asked to set up the proper permissions to allow our software developers to create/modify/delete virtual machines within our production esxi cluster.  I have this part configured.  The part I am struggling with is restricting this access to a certain area (within a folder or  resource pool etc) - not the entire cluster or datacenter.

I have a custom role set up that has what appears to be the proper permissions - but I feel like I can't get this correct because of where the permissions need to be applied. 

Datastore: Allocate space, Browse datastore, Update virtual machine files, Update virtual machine metadata,

Host: Local operations > Create virtual machine, Delete virtual machine, Reconfigure virtual machine

Network: Assign network

Resource: Assign virtual machine to resource pool, Migrate powered off virtual machine, Migrate powered on virtual machine

Virtual Machine: Change Configuration (All)

Virtual Machine: Edit Inventory > Create new, Remove, Unregister

Virtual Machine: Interaction

Virtual Machine: Provisioning > Modify customization specification, Read customization specification

Virtual Machine: Snapshot Management (All)

I am feeling like I need to move the datastores that they are authorized to use into a folder, and set a specific permission on that folder for a datastore role.  Same for networks.  Once I hit the host level I start to question my thoughts.  If I grant Create Virtual Machine permission at the Host level (or Cluster, or DataCenter) this would allow creating a vm across the entire ESXi cluster, correct?

In addition to that - I feel like having to create specific roles / permissions for the datastore layer, network layer, resource layer, vm layer, and host layer seems like a lot of complexity for what I am trying to accomplish. 

Again, if I set the above permissions at the Datacenter level and propagate to children, this role is able to perform all of the functions needed for their job.  However, they also have permission to do more than needed. 

How do I go about restricting this?

Thanks

Steve

4 Replies
nachogonzalez
Expert
Expert

Hey, hope you are doing fine.
I'll try to reply to your questions:

I am feeling like I need to move the datastores that they are authorized to use into a folder, and set a specific permission on that folder for a datastore role. Why not a datastore cluster? Either way what you are saying is corect  Same for networks.  Once I hit the host level I start to question my thoughts.  If I grant Create Virtual Machine permission at the Host level (or Cluster, or DataCenter) this would allow creating a vm across the entire ESXi cluster, correct? at the host level, only the host, at the cluster level all the cluster, at the DC level all the DC. Check this article regarding the hierarchy of permission s (Hierarchical Inheritance of Permissions for Content Libraries)

In addition to that - I feel like having to create specific roles / permissions for the datastore layer, network layer, resource layer, vm layer, and host layer seems like a lot of complexity for what I am trying to accomplish.


What if you set the permissions at a lower level (let's say resource pool) and set a no access permission to everything outside that that? This way devs will have access to the resource pool only.

Again, if I set the above permissions at the Datacenter level and propagate to children, this role is able to perform all of the functions needed for their job.  Yes, that correct. However, they also have permission to do more than needed. This is also correct.

You can limit permissions with denying permissions such as no access or read only.
As a general principle of IT, the permission with least abilities will take precedence.

Hope this works, let me know if i can assist.

scott28tt
VMware Employee
VMware Employee

This page from the documentation should help: Required Privileges for Common Tasks

The best practices item above it in the index to the left is also useful.

stephenmbell
Enthusiast
Enthusiast

Thanks Scott.

I think this did the trick.  I moved my VM's, Datastores, Networks into folders.  Assigned the proper permissions (1 cumulative role) to the folders.

My question now is - how do I have "Create VM" permission on the Host level assigned to the data center - prevent allowing vms to be created at the / level (e.g. not in a folder).

Thanks

Steve

0 Kudos
scott28tt
VMware Employee
VMware Employee

Each VM essentially has 4 parent objects - compute, storage, network, and the logical VM folder.

I'm not 100% sure what you mean by this "how do I have "Create VM" permission on the Host level assigned to the data center" but I think you're asking about compute - in which case the part highlighted below should be the answer:

Screenshot 2020-08-18 at 16.09.33.png

0 Kudos