I have the following configuration (for example):

DataCenter1

-dtc1_cluster1

-dtc1_cluster2

-dtc1_cluster3

DataCenter2

-dtc2_cluster1

dtc1_cluster1 is solely for development VMs; dtc1_cluster2 is for desktop VMs; and dtc1_cluster3 is for Production

dtc2_cluster1 is for my DMZ

Now I want desktop staff to have full access to dtc1_cluster2. Access in terms of taking snapshots, power on/off vms, and migrate to other hosts which may include moving storage locations.

PROBLEM:

if I assign those rights at dtc1_cluster2, i do not get vmotion of any kind.

SOLUTION:

I have to assign the rights at the dtc1 (datacenter) level in order to get vmotion in dtc1_cluster2 [this has been confirmed and verified by vmware support and ruled as BY-DESIGN]

To me this is a FLAWED design. I say that with a grain of salt because I do not want to issue vmotion permission at the datacenter level (dtc1). Because my desktop staff do not need to see the other clusters in the datacenter nor do I want them to have vmotion in those clusters. I only want them to interact with the desktop cluster dtc1_cluster2.

Has anyone else ran into this problem? Because I feel that vmotion should still be allowed at the CLUSTER level within the DATACENTER despite the permissions only being assigned at the CLUSTER.

I have everything else assigned and working except for vmotion.

This to me for my environment, does not work as expected and should be addressed in the next release. Not even Windows permissions work like this. I shouldn't have to assign full-control at the top level tree, so that a user can do something in a sub-folder when i don't want them to have access to other sub-folders in that tree.