Hi there,

I'm having difficulty with creating the right roles and assigning permissions within VC 4.0.

I am using AD groups and assigning them to roles within VC. This is all good, however if I have users who are a part of two AD groups, and two roles, VC will grant that user the lesser permission. For example:

Two AD groups: DOMAIN\vSphere-Admin and DOMAIN\vSphere-Users

Two different roles: Administrator (built-in) and VM User (very limited VM related permissions)

In my AD, user joeadmin is a member of the DOMAIN\vSphere-Admin group. He has Administrator access to VC. This is good.

In my AD, user joeuser is a member of the DOMAIN\vSphere-Users group. He has VM User access to VC. This is good.

In my AD, user joeother is a member of both DOMAIN\vSphere-Admin and DOMAIN\vSphere-Users. He has VM User access to VC. This is bad. Whilst holding multiple roles, I would have thought that he would have Administrator access to VC, not the lesser permission.

Is this expected behaviour? If so, what are your suggestions to get around this? I have many instances where one user is a part of multiple groups and I'm not too keen on restructuring my whole AD to suit the way VC does it's permissions.

Any advice would be greatly appreciated.

Regards,

Chris.