Solved: ESX Host permission / templates

Fogel · ‎05-22-2007

Hi there,

I'm currently implanting our lab infrastructure into Virtual Center, and I've got a problem when I want to deploy a template when using a lab admin account.

I've got 1 datacenter, holding 8 production servers and 1 lab server.

Here's what I did :

\- Granted access to the ESX Lab server

\- Granted access to the Template folder

Now, when getting in the VI3 Client, I can see the server fine and everything runs perfectly. When I try to deploy a template, I'm getting this message

Microsoft .NET Framework

An unhandled exception has occured in your application. ...

Permission to perform this operation was denied.[/i]

I've tried a few things, giving the admins full access to those folders/host without success. The only thing that worked and made the message disapear was to grant them read-only to Hosts and Clusters[/b].

What I'd like is for my admins to see only their servers without seeing the whole production. I know it's just in read-only but I'd like to keep things simple.

Thanks in advance for all your answers.

mbrkic · ‎05-23-2007

This whole permissions business is very granular, but rather finicky at times.

You need to add "Browse Datastore" permission at the data center level. You can check off the 'propagate' checkbox, so it does not apply it to everything underneath. This is crucial in order to not give read access to everything.

If you are using customization specifications then you will also need to add the read and/or modify customization specifictions (under "virtual machine/provisioning") to the root folder of the Virtual Center ("Hosts and Clusters"). Once again, make sure you uncheck the propagate checkbox.

View solution in original post

mbrkic · ‎05-23-2007

This whole permissions business is very granular, but rather finicky at times.

You need to add "Browse Datastore" permission at the data center level. You can check off the 'propagate' checkbox, so it does not apply it to everything underneath. This is crucial in order to not give read access to everything.

If you are using customization specifications then you will also need to add the read and/or modify customization specifictions (under "virtual machine/provisioning") to the root folder of the Virtual Center ("Hosts and Clusters"). Once again, make sure you uncheck the propagate checkbox.

Fogel · ‎05-30-2007

Thank you.

That worked perfectly.

Fogel · ‎06-12-2007

Hey,

I've got another small problem with this case.

When i'm using my administrative account, I can deploy any template from the production to the laboratory.

When someone using restrictive access (like defined in the previous posts), all the deployment dialogs goes fine except I'm getting the message "Network copy failed for file. \[local_02] xxxxx/xxxxx.nvram" right when the copy should start.

Now I know according to 100% of the posts with that message it would be a DNS issue but as I said, I have no problems doing it using my account.

Any idea what permission might be missing to make this work correctly?

Thanks in advance

Mario

Fogel · ‎06-12-2007

I used the same message since it explained pretty well all the details of the environment.

Message was edited by:

Fogel

ZMkenzie · ‎06-13-2007

Did you give "browse datastore" permission to the user that is trying to deploy that template? If you still have trouble try to give full access to that user and then remove one by one permissions and see what happens.

All

ESX Host permission / templates