VMware Cloud Community
ducadk
Contributor
Contributor
‎09-30-2010 03:14 AM

Permission question

Hi,

We have created a group that we have granted the permissions to power on/off and reset virtual machines at vcenter level (with the "Propagate” option checked), we have then created a folder in one of our clusters and removed the propagation to that folder, we have then removed the groups permission and added them with read-only permissions. But the group has still the option to power on/off/reset the virtual machines in that folder – is this by design or what are we missing?

We are running vCenter 4.1

Kind regards

Christoffer

Tags (2)
0 Kudos
6 Replies
jgaddi
VMware Employee
VMware Employee
‎09-30-2010 01:27 PM

Can you clarify that you created a folder under a cluster or under a datacenter? I don't believe you can create a folder under a cluster. Click on the VM that this group should not be able to power on and click the permission tab. What user/group do you see? Does the user that is part of this readonly group part of another group that might have more privilege

0 Kudos
ducadk
Contributor
Contributor
‎09-30-2010 10:21 PM

Hi Jgaddi

Thanks for your reply - yes it was a typo from my side, the folders are of cause created on the datacenter level 🐵 the permissions is the same on the VMs as they are on the folder they are living in (if I compare the two permissions tabs)

Kind regards

Christoffer

0 Kudos
jgaddi
VMware Employee
VMware Employee
‎10-01-2010 06:31 AM

To answer your previous question, this is not by design. The fact that you can power on VMs despite giving read only in the folder means the group/user is inheriting a role/permission with more privileges. Go to the roles section (Home---> Roles) click on the power-on role and the read only role and check. You can take a screen shot and I can have a look.

Joey

0 Kudos
ducadk
Contributor
Contributor
‎10-04-2010 02:30 AM

Hi Joey,

I have created a small flash movie, to show you the issue - I can't show you what have been checked in the "Read-only" role since it is a built in role.

The client in the top is a "full blown" admin the client in the bottom is a user with the role "GRIT.U.windows-only".

Hope it makes sense.

Kind regards

Christoffer

permissionissue.swf
3 KB
0 Kudos
ducadk
Contributor
Contributor
‎10-07-2010 12:06 AM

Hi,

Can I provide any other documentation to show what I'm struggling with?

/Christoffer

0 Kudos
jgaddi
VMware Employee
VMware Employee
‎10-07-2010 10:28 AM

did a repro in my test lab, somehow if you put permission in the VM & Templates view, the permissions are not taken into effect. If you do it from the Host and Clusters, it works everytime. I'll be doing some research if this is a bug and will get engineering to help out. In the meantime, workaround is to do it in H&C view (you don't have the flexibility of using folders thou).