VMware Cloud Community
vpnetworks
VMware Employee
VMware Employee
Jump to solution

Do Permissions Applied at Cluster or Host Propagate to Child VMs

If I apply Read-Only Permissions to a Cluster or Host folder (for a particular group of users) with the propagate to child objects enabled, when a new VM is created within that folder, the user is able to do much more than R/O.

I know that we can create a VM folder (in a different view) with the same R/O permissions, but this doesn't ensure new VMs will have this permission applied if those new VMs are not placed into a VM folder at creation time.

It seems that on new VM creation, the VM is not inheriting the R/O permission from the Cluster/Host folder. Is this the expected behavior?

Thank you!

Reply
0 Kudos
1 Solution

Accepted Solutions
Troy_Clavell
Immortal
Immortal
Jump to solution

I believe the more restrictive permissions apply. Unless I have that backward?

I should have been more descriptive. If you have an AD group with lets say joe in it, that AD group is set to read only role and joe is in another AD group that has a role of Administrator, joe becomes and administrator. If joe is is added in as a user rather than a group, then the most restrictive role wins, so you are correct.

View solution in original post

Reply
0 Kudos
4 Replies
Troy_Clavell
Immortal
Immortal
Jump to solution

If I apply Read-Only Permissions to a Cluster or Host folder (for a particular group of users) with the propagate to child objects enabled, when a new VM is created within that folder, the user is able to do much more than R/O.

correct, unless there are other permissions set at the folder level, then the two permissions are combined and usually result in the less restrictive permissions

I know that we can create a VM folder (in a different view) with the same R/O permissions, but this doesn't ensure new VMs will have this permission applied if those new VMs are not placed into a VM folder at creation time.

correct

It seems that on new VM creation, the VM is not inheriting the R/O permission from the Cluster/Host folder. Is this the expected behavior?

any VM regardless of where it is created should inherit the permissions of the folder(view) in which it resides.

dickybird
Enthusiast
Enthusiast
Jump to solution

The permissions should propagate if you have checked the box and any new VM created in that cluster will carry the permissions defined at cluster level.

Remeber The least privledges will over rule the more privledges given for same account.

vpnetworks
VMware Employee
VMware Employee
Jump to solution

"...usually result in the less restrictive permissions"

I believe the more restrictive permissions apply. Unless I have that backward?

Reply
0 Kudos
Troy_Clavell
Immortal
Immortal
Jump to solution

I believe the more restrictive permissions apply. Unless I have that backward?

I should have been more descriptive. If you have an AD group with lets say joe in it, that AD group is set to read only role and joe is in another AD group that has a role of Administrator, joe becomes and administrator. If joe is is added in as a user rather than a group, then the most restrictive role wins, so you are correct.

Reply
0 Kudos