VMware Cloud Community
Dave_Lusty
Contributor
Contributor
‎08-29-2008 06:15 AM

Permissions in VC

Hi all, I have a little problem with permissions in Virtual Center which I think may be an issue with the way permissions are handled.

I have an Admin group which I want to have full access to everything so I added it to the root of Virtual Center.

I have a second group which should have access to a single folder full of VMs. They also need to be able to attach ISO files from a datastore to the VMs. In order to do this I need to give read only permissions to the datastores, which seems to mean giving permissions on the root of the cluster. Since I will have many groups I'd like to just give everyone permission to read the Datastores.

This is all fine, until you realise that Virtual Center applies the most restrictive permissions at any given level. If I give read only access to everyone, then everyone loses access to the whole cluster and I have to remove myself from domain users to recover!

Is there an easier way of doing this that I'm unnaware of, or should I request further permission enhancements for ESX5?

Thanks all

Dave

0 Kudos
5 Replies
weinstein5
Immortal
Immortal
‎08-29-2008 06:43 AM

remember rolles assigned to the same object are cummalative - so if you to give everyone read only access to the datastore - then add the admin group and give them admin privledge then anyone in the admin group will have full access ott hat datastore - the rule oes like this when to groups or users are signed permissions at the same object in the inventory permissions give are a union of the two - but remember in the case of a user and a group permission assigned to the same object user will take precedent and permisions that are applied to an object take precedent ove rinherited permissions -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
0 Kudos
Texiwill
Leadership
Leadership
‎08-29-2008 07:02 AM

Hello,

Moved to the VI: VirtualCenter 2.x forum.

If you have a least restrictive role above you and it was inherited, it wins. So I generally just set the roles on the folders I am concerned about and not above those folders.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
Dave_Lusty
Contributor
Contributor
‎08-29-2008 07:17 AM

unfortunately the datastores are in the root of the cluster, so there is no way to do this.

0 Kudos
Dave_Lusty
Contributor
Contributor
‎08-29-2008 07:18 AM

I assure you this is not the way it works. try adding domain users to the cluster as read only and see what access you get 🐵

0 Kudos
hicksj
Virtuoso
Virtuoso
‎08-29-2008 12:29 PM

Yeah... don't do that. The posts above are not super clear... check out any past post by me with the word "permissions" in it.

Anyway - you should NEVER use your default/global built-in groups like that in VC. You should have role based groups that are specific to VC, and make sure that your Admin users are NOT members of any subordiate groups like that, or yes, those Admins will have their legs chopped off. Note, this could be desirable in some situations - within VC or not!! Smiley Happy

To recap some of my previous statements: Roles can UNION, but ONLY when added at via groups to the SAME object. Least restrictive is NOT how things work, PROXIMITY determines what role "wins."