VMware Cloud Community
bggb29
Expert
Expert

Group access to guests in a resource pool via browser

I have 2 groups granted access to different resource pools.

Using VI server for local authentication.

I have permissions and roles setup ( even cloned the group)

group a has no problem accessing hosts via web browser.

group b cannot see any hosts in browser.

If I add a member from b to a then the see group a hosts.

I have reviewed my configuration several times.

What is needed for a group to see the hosts in a resource pool via the browser

thanks

Reply
0 Kudos
5 Replies
masaki
Virtuoso
Virtuoso

Which roles for group a and b?

I think Virtual Machine rights (manage: start, stop, etc) are needed.

Compare the two groups to find.

Reply
0 Kudos
hicksj
Virtuoso
Virtuoso

Best practice-wise, it is not recommended that you grant console permissions to general groups of users. The problem being there are no controls on virtual consoles to restrict the number of connections. Any user can hijack another user's session and utilize their guest OS permissions.

This can become a problem with SOX, HIPAA, etc compliance.

You should look at remote console utilities to provide this functionality if possible.

I'm hoping that someday there will be an option for VI Admins to "take over" another's console connection - but only after clicking in a dialog box - something that's reportable/auditable. Likewise, a general purpose user should not be allowed to access a console that is already in use (or the general user could submit a request to the current user who could in turn grant temp permissions for that user to view the console).

Reply
0 Kudos
bggb29
Expert
Expert

The roles are exactly the same. I copied the role for group a and renamed it for group b.

So the permissions are indentical

They do have manage start and stop.

Reply
0 Kudos
bggb29
Expert
Expert

We do encourage rdp as a console and vnc access.

We have been hoping with the vi3 that connecting their cds remotely

will elimante most needs for console access.

With the exception of a power off/on and reset that when a reboot does not worl.

I agree that audit trails would be nice.

You can always terminate somebodies session to take control. of course that is only good

until the login again

Reply
0 Kudos
hicksj
Virtuoso
Virtuoso

Are any users in group B in another group that is granted permissions elsewhere in Virtual Center? i.e. Did you grant "Everyone" read at the root or something similar?

Reply
0 Kudos