VMware Cloud Community
Valentini
Enthusiast
Enthusiast
Jump to solution

Issue using Customization Specification to deploy from a template.

I am having trouble deploying a VM from a template with the use of a Customization Specification File.

Can someone tell me what is causing this.?

I am using a Domain Account that has been granted the Administrator role at the datacenter level. The problem is that the option is not available for this user. It is available if I login with the account that was used to create the Virtual Center.

Any help is appreciated.

Reply
0 Kudos
1 Solution

Accepted Solutions
kjb007
Immortal
Immortal
Jump to solution

You can still do what you want. Just create a new role, that has only the two permissions required, read and modify customization, and do not propagate. Give the user that role at host & clusters. Unless you give the user any other permissions on any other objects, they will not see anything else. I just did this and I was not able to see anything, when the only permission I gave was at Hosts&Clusters with the customize role only. I did not even see a listing of datacenters. So, after that permission is applied, you will still have to give admin access for the other objects you allow the user to manage, but you will also have the ability with that user to create and modify customization specs.

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB

View solution in original post

Reply
0 Kudos
20 Replies
jjohnston1127
Hot Shot
Hot Shot
Jump to solution

Did you propogate the Administrator role for that user's domain account down to all objects in the datacenter?

Reply
0 Kudos
Valentini
Enthusiast
Enthusiast
Jump to solution

Yes, the permissions are propagating all the way down.

Reply
0 Kudos
jjohnston1127
Hot Shot
Hot Shot
Jump to solution

Interesting. And the template file itself shows the permission as inherited?

Try manually setting the Administrator permission on that template with that user's account and see if it works.

Reply
0 Kudos
Valentini
Enthusiast
Enthusiast
Jump to solution

Tried it, that did not have any affect. Any other thoughts. Does this work for you?

Reply
0 Kudos
ac57846
Hot Shot
Hot Shot
Jump to solution

I have seen this issue too, however as it was in a training course I simply had the students use the original administrator account.

The issue is that the user can deploy a VM from the template but can't see any existing customisation specifications.

My suspicion is that if the customisation spec is created before the user is granted rights then they don't see the specification. A way to test this would be for the original administrator to start a deploy & use the customisation spec as the defaults & then save the resulting customisation spec, hopefully the saved spec will be visible to the new user.

Alas I can't test this to confirm.

Al.

Reply
0 Kudos
kjb007
Immortal
Immortal
Jump to solution

Does that user have the ability to see create a new customization spec? I mean, can they see any definitions at all?

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
Valentini
Enthusiast
Enthusiast
Jump to solution

Nope, it is greyed out. Does this give you any ideas?

Reply
0 Kudos
kjb007
Immortal
Immortal
Jump to solution

Just further confirmation of the permision problem. If you go to the admin section of the vi client, and click the roles. You should be able to click the administrator role, and on the right hand side, it should show you who has that role and on what object. Make sure the account you want is listed in that view. You have to have access at the data center role in order to modify customization specs.

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
Valentini
Enthusiast
Enthusiast
Jump to solution

I am able to see this and it does reflect that the permission exists. Can you tell me whether or not I should have to apply permissions any place other than the Virtual Center Console?

Reply
0 Kudos
kjb007
Immortal
Immortal
Jump to solution

No, you should not, VC is the point from where the customization is applied.

Try these two tests,

  1. create a clone of the administrator role, and assign your ad account the new role and then login with that.

  2. create a new local ID and give the new ID the original administrator role, and see if you find a difference.

Hopefully one will succeed, and one will fail. Also, is your domain ID a member of any of the local server groups?

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
Valentini
Enthusiast
Enthusiast
Jump to solution

1. tried that the other day> no change in outcome

2. try a local account on the virtual center server? I think that is what you are saying, I will try this?

The domain account is a domain user only. Not a member of any local groups. So it is not being restricted at a different level.

Reply
0 Kudos
Valentini
Enthusiast
Enthusiast
Jump to solution

Nope that did not work either. The option is still greyed out.

Reply
0 Kudos
kjb007
Immortal
Immortal
Jump to solution

Ok, I was able to replicate your problem, and I misread the start of this thread. The permission you need has to start at the 'Hosts & Cluster' level. If you don't want to give permission at that level, you can create a new role that has read-only permission, but includes the customization modify and read permission at hosts&clusters, with no propagate. That gave me access to customization specs, while any kind of permssion anywhere else greyed it out.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Valentini
Enthusiast
Enthusiast
Jump to solution

Ok, so I should have also added that we would not like for individual users to see what other users have in their respective datacenters. Or the main datacenter. We have decided to segregate resources by DC. Each user will see the DC they are an administrator of as well as the Resource DC that has shared resources for each user to see. Do you know of a way to allow the customized spec and still restrict the users to see what they are administrators of? Very good answer though...

Reply
0 Kudos
kjb007
Immortal
Immortal
Jump to solution

You can still do what you want. Just create a new role, that has only the two permissions required, read and modify customization, and do not propagate. Give the user that role at host & clusters. Unless you give the user any other permissions on any other objects, they will not see anything else. I just did this and I was not able to see anything, when the only permission I gave was at Hosts&Clusters with the customize role only. I did not even see a listing of datacenters. So, after that permission is applied, you will still have to give admin access for the other objects you allow the user to manage, but you will also have the ability with that user to create and modify customization specs.

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
Valentini
Enthusiast
Enthusiast
Jump to solution

That is it. I was so used to propagating my permissions, because I needed to, that I did not restrict them at the topmost level. I new it had to be something stupid. Thank you for your assistance.

By the way what is your experience with ESX??? Also, have you performed an upgrade to Update 1 yet? If so, what have you experienced?

Reply
0 Kudos
kjb007
Immortal
Immortal
Jump to solution

I will be doing Update 1 upgrades in my lab either this weekend or next. With all the issues people have had, I'm glad I waited.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
Valentini
Enthusiast
Enthusiast
Jump to solution

What issue have you heard about?

Ed Valenciano

Global Technical Enablement - HP Software

303.886.1544 mobile | Ed.Valenciano@hp.com

3404 E Harmony Road | FTC06 | Fort Collins | CO 80528

www.hp.com/go/software

Reply
0 Kudos
kjb007
Immortal
Immortal
Jump to solution

There were issues with the ISOs and/or zip files that were posted, which were causing strange installation problems. They were resolved a day or two ago, and I have not heard any more issues since then. Still, always a good idea to backup before you update!!!

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos