How to give users rights over a resource pool

gheywood · ‎01-19-2010

Hello,

I would have thought this is fairly simple, but I would like to give people rights to manage all the VM's in a resource pool. If I do what seem logical and create a role (with all the permission minus snapshots which we won't give them) and then assign this to the resource pool, the user can manage the VM's to a degree, but cannot create any.

No problem, I can create another folder in the virtual machines and templates view, and grant the account rights over that folder. The user now has a folder to create VM's in.

The problem now, is that they cannot assign an ISO to the VM's which is pretty useless. I found this Cannot mount ISO files because Browse Datastore is disabled, but when I follow this, the users can then see ALL the VM's and hosts in the datacentre. I suppose I could do it at a lower level (the isoimages datastore), except that I cannot find anyway of doing this.

What am I doing wrong here? Is there a way to get a user to have the rights to create, restart, modify, VM's within a particular resource pool, without providing visibility of the entire infrastructure?

Thanks

dnetz · ‎01-19-2010

Hi,

I haven't tried this in my lab, but if you store your ISO images on a seperate datastore, you should be able to assign certain users access to this datastore but not all of them and hopefully the datastore browser will only let them browse the datastores to which you've given them access.

Hope it helps!

gheywood · ‎01-20-2010

Thanks for that. The problem is, there doesn't seem to be a way to apply permissions granularly to a specific datastore. It is all datastores, or nothing...

AnatolyVilchins · ‎01-20-2010

Can you tell us what version of VC are you running?

Starwind Software Developer

www.starwindsoftware.com

Kind Regards, Anatoly Vilchinsky

gheywood · ‎01-20-2010

This VC is running on 2.5.0, build 64192.

dnetz · ‎01-20-2010

Sure you can, if you have permissions set at a higher up level, just right click the user/group in the permissions tab for that particular datastore, choose properties and change the user role to "no access". You'll get a warning that this will create a new permission and override the inherited one. Note however that restricting a user's access to a datastore only seems to limit their ability to see and browse it. They can still interact with VM's on that datastore if they have permissions to that VM.

I've set permissions on datastores to hide the local host datastores from regular users, I created a datastore folder and set the permissions there so all I have to do to hide a datastore is to login as administrator and drag it to that folder.

Edit: this is tested on vCenter 4.0 U1, I can't vouche for it workong on vCenter 2.5 but it should.

Hope it helps!

gheywood · ‎01-20-2010

Thanks Dnetz. What you say sounds logical enough, but there is no "permissions" tab on any object on the datastore view, apart from the top datacenter object.

So it seems to be all or nothing..

We are migrating these to VC4 eventually, so perhaps we will have to live with it (or just not let the users of that resouce pool change ISO's!) until then.

dnetz · ‎01-20-2010

I'm afraid I don't have access to any vCenter 2.5 installs anymore, but maybe someone else can verify?

hicksj · ‎01-21-2010

There are no granular datastore permissions as you describe in VC2.5.

All

How to give users rights over a resource pool