We have created a SQL folder and placed all of our SQL VM's in this folder. We allow the SQL DBA's to connect to VC to manage the VM's. We have given their Active Directory Group "Virtual Machine Power Users" rights. They are able to logon and manage power and get to the console. They can create and delete snapshots, but they cannot revert to a snapshot.
They get the permission denied error when they do this.
Has someone else come across this?
Try Adding this privilege. Under Datastore - Remove File, and Rename File.
Not sure if it will work or not.
You may also need to add the snapshot privileges at the top level of the structure.
What you need is to provide "Virtual Machine -> State -> (All)" permission at the Cluster (not just the guest). You'll need to create a separate roll for this, and make sure to uncheck "Propagate"
Problem is if I do that then I give that right to the other objects that are a part of the cluster. What we have done is created a folder in the "Virtual Machines and Templates" view called SQL Servers. I've given the DBA's the rights to this folder. Everything works except revert, all other snapshot functions work even delete.
When I permission the entire Cluster they can see and manage the snapshots for the sql servers folder (in the view "virtual machines and templates") and they can manage any server that is not in a subfolder in that view now.
Did you uncheck the Propagate option when applying the Role to the Cluster? If so, they should only have the ability to manage Snapshots for those systems in the SQL folder as needed. This role should only have the snapshot permissions defined, nothing else.
Message was edited by: hicksj
I have this SAME exact setup in my environment, SQL DBA's needing to revert snapshots. The above worked perfect. Note: They can ONLY see their DBA servers. They cannot see any other VM's. However, as long as they do not have snapshot privs directly on any other VM's they can see, they can not manage those snapshots.
Sorry, I did check propagate. I did not read your msg correctly. If I do not select propagate, they users cannot revert to a snapshot. So it still does not work.
I opened a case yesterday and have still not received a reply.
As a test, try applying this new "Snapshot" role to the host (instead of the cluster) currently managing a SQL VM, again, without propagation. Can the DBA's now revert? I thought this could be applied at the higher level. Maybe not?
It's tricky determining where all these permissions are applicable!
Ok, that makes sense. I though it was a Cluster operation. I'll have to have my DBA retest reverting. I thought this was working for him...
Let me know what the SR response is. Hopefully they can get this straightened out.
VMWare Technical Support Suggested configurations listed below. We used number two to get this working for us.
This is a known issue with Vmware that we will be address in a future release of VirtualCenter.
There are two workarounds for this for now:
1 - You can assign a user "VM Power User" or "VM Administrator" role on ESX without propagating it down to all VM's. After that you can choose a virtual machine and assign the same user "VM Power User" or "VM Administrator Role"
so that he/she can perform "Revert Snapshot".
2 - You can add a custom role that should have only one permission and that is "Remove file" under Datastores and nothing else. After this you give a user 'VM Power User' Or 'VM Admin User" on a VM and give the same user the custom role you created on the ESX host. In this way that user will be able
to revert to snapshot.
Solution: Power off the VM. The user will then be allowed to revert to prior snapshots.
No need to provide additional permissions at the host or cluster as previously posted. The user just requires the standard "State" permissions on the VM, along with the ability to powerup/powerdown the VM.
Hope that helps!