Hi there,
I'm having difficulty with creating the right roles and assigning permissions within VC 4.0.
I am using AD groups and assigning them to roles within VC. This is all good, however if I have users who are a part of two AD groups, and two roles, VC will grant that user the lesser permission. For example:
Two AD groups: DOMAIN\vSphere-Admin and DOMAIN\vSphere-Users
Two different roles: Administrator (built-in) and VM User (very limited VM related permissions)
In my AD, user joeadmin is a member of the DOMAIN\vSphere-Admin group. He has Administrator access to VC. This is good.
In my AD, user joeuser is a member of the DOMAIN\vSphere-Users group. He has VM User access to VC. This is good.
In my AD, user joeother is a member of both DOMAIN\vSphere-Admin and DOMAIN\vSphere-Users. He has VM User access to VC. This is bad. Whilst holding multiple roles, I would have thought that he would have Administrator access to VC, not the lesser permission.
Is this expected behaviour? If so, what are your suggestions to get around this? I have many instances where one user is a part of multiple groups and I'm not too keen on restructuring my whole AD to suit the way VC does it's permissions.
Any advice would be greatly appreciated.
Regards,
Chris.