Trying to work through how to setup permissions so that VM admins will see only their VMs but they will still be able to browse and attach an ISO image from a LUN shared by all.
Until now we had set up VM admin roles at the VM level. When we added the shared ISO LUN the VM admins could not browse to it, the browse option is greyed out. To get around the problem we setup a role at the datacenter level that only allows datastore browse and then permitted a VM admin group to this role. This all works now but the downside it that the permission at the datacenter level now allows the VM admin to see all the VMs and hosts.
Perhaps our hieararchy could be better setup. It looks like this:
DataCenters -> IU DataCenter -> DL585 -> ESX server -> VMs (The datastore and network objects are under IU DataCenter)
So for the same group we have a databrowse role permitted at IU DataCenter and a VM admin role permitted at the VM.
Any thoughts on how to do this so that a VM admin would only see their own VMs but still be able to browse the datastore?