I am trying to develop a least-permissions model for security on the VI. I have an issue with deployment of templates. When deploying a VM from a template, the Deploy Template Wizard (DTW) gets to the second stage, where it validates Host / Cluster; when the cluster is selected the Compatibility window shows Validation succeeded but the Next button remains greyed out.
This does not happen when deploying a new VM to the same folder, only when cloning a template. When I use my global admin account, there is no such issue. Once the cluster is selected the "specific host" option disappears and the Next button goes black.
I tried RTFM (http://www.vmware.com/pdf/vi3_vc_roles.pdf) and set exactly and only the roles described on page 9 under Example: Allowing Template Deployment to a Resource Pool as follows:
Virtual Machine > Inventory > Create; Virtual Machine > Configuration > Add New Disk: at the destination folder
Virtual Machine > Provisioning > Deploy Template: Template folder
Resource > Assign VM to Resource Pool; Virtual Machine > Interaction: Destination resource pool
I tried with Read-Only at the Datacenter but that results in an error "Object reference not set to an instance of an object" when clicking the cluster in the DTW. Note that I enabled propagation for everything but the Read Only permission on the Datacenter object, because if you enable read-only at the host level you get two undesirable side-effects: a list of hosts (incompatible with least-privilege, and also confuses people); and visibility of any VMs or templates mistakenly left in the host or cluster root. The "Object reference" issue can be resolved by setting read-only at the cluster level, which is not a big surprise.
The main problem goes away if read-only permission is set on any host - regardless of whether it's the one on which the template currently resides. Enabling propagation on the read-only permission at the cluster level also works, but with the undesirable result of revealing information about child objects.
I have three hypotheses here: First, it may be that some facet of a component host must be validated before a VM can be dployed to a cluster. Second, there is some class of object residing in a hidden container at the host level. Third, it may be an "undocumented feature" or bug.
permission-error.jpg shows the error, permission-correct.jpg shows the expected result.
Any suggestions, please?
Message was edited by: Guy Chapman with additional information and test results.
This is the minimum set of rights required to deploy a VM from a template.
At the destination folder
Virtual Machine > Inventory > Create
Virtual Machine > Configuration > Add New Disk
These rights need to be propagated
At the datacenter and on each host within the cluster
Read-only
These rights must not be propagated, or resources at the root level become visible
At the cluster
Virtual Machine > Inventory > Create
These rights must not be propagated, or resources at the root level become visible
At the template folder
Virtual Machine > Provisioning > Deploy Template
This right needs to be propagated
At the destination resource pool
Resource > Assign VM to Resource Pool
Virtual Machine > Interaction
Additionally, in order to be able to use customisation templates, the following rights are needed.
At the template folder
Virtual Machine > Provisioning > Customize
This right needs to be propagated
At the root (Hosts & Clusters / Virtual Machines & Templates) folder
Virtual Machine > Provisioning > Read Customization Specifications