VMware Cloud Community
Guy_Chapman
Contributor
Contributor

Deployment of templates: permissions issue

I am trying to develop a least-permissions model for security on the VI. I have an issue with deployment of templates. When deploying a VM from a template, the Deploy Template Wizard (DTW) gets to the second stage, where it validates Host / Cluster; when the cluster is selected the Compatibility window shows Validation succeeded but the Next button remains greyed out.

This does not happen when deploying a new VM to the same folder, only when cloning a template. When I use my global admin account, there is no such issue. Once the cluster is selected the "specific host" option disappears and the Next button goes black.

I tried RTFM (http://www.vmware.com/pdf/vi3_vc_roles.pdf) and set exactly and only the roles described on page 9 under Example: Allowing Template Deployment to a Resource Pool as follows:

  • Virtual Machine > Inventory > Create; Virtual Machine > Configuration > Add New Disk: at the destination folder

  • Read-only: at the datacenter

  • Virtual Machine > Provisioning > Deploy Template: Template folder

  • Resource > Assign VM to Resource Pool; Virtual Machine > Interaction: Destination resource pool

I tried with Read-Only at the Datacenter but that results in an error "Object reference not set to an instance of an object" when clicking the cluster in the DTW. Note that I enabled propagation for everything but the Read Only permission on the Datacenter object, because if you enable read-only at the host level you get two undesirable side-effects: a list of hosts (incompatible with least-privilege, and also confuses people); and visibility of any VMs or templates mistakenly left in the host or cluster root. The "Object reference" issue can be resolved by setting read-only at the cluster level, which is not a big surprise.

The main problem goes away if read-only permission is set on any host - regardless of whether it's the one on which the template currently resides. Enabling propagation on the read-only permission at the cluster level also works, but with the undesirable result of revealing information about child objects.

I have three hypotheses here: First, it may be that some facet of a component host must be validated before a VM can be dployed to a cluster. Second, there is some class of object residing in a hidden container at the host level. Third, it may be an "undocumented feature" or bug.

permission-error.jpg shows the error, permission-correct.jpg shows the expected result.

Any suggestions, please?

Message was edited by: Guy Chapman with additional information and test results.

Tags (2)
Reply
0 Kudos
1 Reply
Guy_Chapman
Contributor
Contributor

This is the minimum set of rights required to deploy a VM from a template.

  • At the destination folder

    • Virtual Machine > Inventory > Create

    • Virtual Machine > Configuration > Add New Disk

    • These rights need to be propagated

  • At the datacenter and on each host within the cluster

    • Read-only

    • These rights must not be propagated, or resources at the root level become visible

  • At the cluster

    • Virtual Machine > Inventory > Create

    • These rights must not be propagated, or resources at the root level become visible

  • At the template folder

    • Virtual Machine > Provisioning > Deploy Template

    • This right needs to be propagated

  • At the destination resource pool

    • Resource > Assign VM to Resource Pool

    • Virtual Machine > Interaction

Additionally, in order to be able to use customisation templates, the following rights are needed.

  • At the template folder

    • Virtual Machine > Provisioning > Customize

    • This right needs to be propagated

  • At the root (Hosts & Clusters / Virtual Machines & Templates) folder

    • Virtual Machine > Provisioning > Read Customization Specifications

Reply
0 Kudos