VMware Cloud Community
SBaldridge
Contributor
Contributor
Jump to solution

Customized Roles-Power up guest

Gah! I cannot solve this for some reason. Running VC 2.5.0 update 1 build 84767. I have cloned the Virtual Machine Administrator role and customized it so our server managers can attach a workstation DVD to a VM guest and they need to be able to power off/power on a vm guest. I've assigned the role to individual vm guests. We had issues with the DVD thing but the Update 1 fixed that problem.

By using my customized role, if the vm guest is on a non-clustered ESX then I have no problem, the manager can power down and power up the guest but if the guest is in a DRS/HA cluster then the manager cannot power up the guest. When we try to power up, VC shows a single "initialize powering on" task as successful but the guest does not power up.

If someone with Administrator role attempts a power up, we see the following sequential (successful) tasks:

Initialize powering on - success

Apply DRS recommendation - success

Power On Virtial Machine - success

As suggested elsewhere in this forum I have tried giving a read-only role to the managers at the root (hosts and clusters), cluster level, and resource pool level but it doesn't work.

Can someone give me some guidance?

Thanks,

Scott

Reply
0 Kudos
1 Solution

Accepted Solutions
mike_laspina
Champion
Champion
Jump to solution

Can I suggest the that you focus on only one function at a time.

Try granting only the interactions for power on, off, suspend and reset

If you have dependancies that are not obvious it could cloud the issue.

Also you referred to other posts, did you see this one?

http://communities.vmware.com/message/886727#886727

http://blog.laspina.ca/ vExpert 2009

View solution in original post

Reply
0 Kudos
5 Replies
mike_laspina
Champion
Champion
Jump to solution

Hi,

Could you provide more info on what AD groups you have defined and what roles are assigned to the AD groups?

Also keep in mind that the VC local users is a group which is assoiciated with all domain users.

http://blog.laspina.ca/ vExpert 2009
Reply
0 Kudos
SBaldridge
Contributor
Contributor
Jump to solution

I have a AD group that is assigned the following on the guest:

Global>Cancel Task

Virtual Machine>Inventory>Move

Virtual Machine>Configuration>Change Resource

Virtual Machine>Interaction>All

Virtual Machine>State>All

Resource>Apply Recomendation

Resource>Migrate

Resource>Relocate

Scheduled Task>All

Nothing is applied any higher at the moment.

Reply
0 Kudos
mike_laspina
Champion
Champion
Jump to solution

Can I suggest the that you focus on only one function at a time.

Try granting only the interactions for power on, off, suspend and reset

If you have dependancies that are not obvious it could cloud the issue.

Also you referred to other posts, did you see this one?

http://communities.vmware.com/message/886727#886727

http://blog.laspina.ca/ vExpert 2009
Reply
0 Kudos
SBaldridge
Contributor
Contributor
Jump to solution

Hi Mike, thanks for the help.

I found a solution but maybe it's not the best? I have read the post you refer to which helped. This solution probably seems obvious to others but I had a tough time getting my head around it. For me, troubleshooting this is easiest if you perform the task successfully as an Administrator, then click on the Hosts and Clusters (root) node and look at the Tasks tab which shows all the tasks per node (Cluster>Host>VM, etc) to see what is required.

Taking care to not overlap the AD group memberships assigned to each node (least privilege security can bite you), I found this is what is required to allow a guest server manager to power on a guest in a DRS cluster, maybe you or someone could make a suggestion to further reduce privilege:

Step 1: Made a new AD group to grant minimal rights, made sure not to include members of the Administrators group.

Step 2, define roles

New role "Data Center - Minimal Rights" (apply only to datacenter node, no propagation):

Virtual Machine>Interaction>Power On and Off

Tasks>Create

New Role "Cluster - Minimal Rights" (apply to cluster only, no propagation):

Resource>Apply Recommendation

Tasks>Create

New Role "Host - Minimal Rights" (apply only to hosts you want the manager to utilize, no propagation):

Just clone the "Read Only" role

Existing role I had customized based on a cloned Virtual Center Power User role, granting power on/off, ability to attach DVD, and a few other things (see above thread). Apply to the selected guests.

Reply
0 Kudos
mike_laspina
Champion
Champion
Jump to solution

Your welcome,

I have found that the method you have used is the most effective in providing better control and function.

Yes it is more work to use multiple AD groups but it will be much better in the long run.

If you find you require groups with large numbers of users then it is a good to have some local groups and put global groups in them to reduce heavy AD query's.

It is how I set up my systems and I don't have any issues with it.

http://blog.laspina.ca/ vExpert 2009