Hi all, I have a little problem with permissions in Virtual Center which I think may be an issue with the way permissions are handled.
I have an Admin group which I want to have full access to everything so I added it to the root of Virtual Center.
I have a second group which should have access to a single folder full of VMs. They also need to be able to attach ISO files from a datastore to the VMs. In order to do this I need to give read only permissions to the datastores, which seems to mean giving permissions on the root of the cluster. Since I will have many groups I'd like to just give everyone permission to read the Datastores.
This is all fine, until you realise that Virtual Center applies the most restrictive permissions at any given level. If I give read only access to everyone, then everyone loses access to the whole cluster and I have to remove myself from domain users to recover!
Is there an easier way of doing this that I'm unnaware of, or should I request further permission enhancements for ESX5?
Thanks all
Dave
remember rolles assigned to the same object are cummalative - so if you to give everyone read only access to the datastore - then add the admin group and give them admin privledge then anyone in the admin group will have full access ott hat datastore - the rule oes like this when to groups or users are signed permissions at the same object in the inventory permissions give are a union of the two - but remember in the case of a user and a group permission assigned to the same object user will take precedent and permisions that are applied to an object take precedent ove rinherited permissions -
Hello,
Moved to the VI: VirtualCenter 2.x forum.
If you have a least restrictive role above you and it was inherited, it wins. So I generally just set the roles on the folders I am concerned about and not above those folders.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
unfortunately the datastores are in the root of the cluster, so there is no way to do this.
I assure you this is not the way it works. try adding domain users to the cluster as read only and see what access you get 🐵
Yeah... don't do that. The posts above are not super clear... check out any past post by me with the word "permissions" in it.
Anyway - you should NEVER use your default/global built-in groups like that in VC. You should have role based groups that are specific to VC, and make sure that your Admin users are NOT members of any subordiate groups like that, or yes, those Admins will have their legs chopped off. Note, this could be desirable in some situations - within VC or not!!
To recap some of my previous statements: Roles can UNION, but ONLY when added at via groups to the SAME object. Least restrictive is NOT how things work, PROXIMITY determines what role "wins."