VMware Cloud Community
dec0077
Contributor
Contributor
‎12-11-2013 07:22 AM
Jump to solution

Privileges with user in multiple groups

Hi all,

I'm having a problem regarding privileges on a farm at my job place. The problem is this: my user is part of a group (authenticated against an Active Directory domain) that has the role of Administrator for the entire farm. However, on a specific folder, another group (of which I'm also a member, same AD domain) is set up with the role of Virtual Machine User.

The result is that the privilege level I have on the folder is not that of an administrator, but the one of a simple user (so the lowest level possible).

Is there a way to change this behaviour, maybe with a configuration setting? It's not possible to have my username removed from the second group, I have to find another way.

Please help me solve this.

Best regards,

Alberto M.

0 Kudos
1 Solution

Accepted Solutions
virtualinstall
Enthusiast
Enthusiast
‎12-12-2013 01:59 AM
Jump to solution

I found this information pertaining to vCenter 4.1...

Multiple Permission Settings

If multiple group permissions are defined on the same object and the user belongs to two or more of those groups, two situations are possible:

  • If no permission is defined for the user on that object, the user is assigned the set of privileges assigned to the groups for that object.
  • If a permission is defined for the user on that object, the user's permission takes precedence over all group permissions.

I have just tested this against vCenter 5.1 and get the expected behaviour as above...

daniel is an AD account in the ESX Admins group in AD assigned to the Administrator role in vCenter.  daniel is also assigned to the ESX Read-Only AD group.  If I create a new folder in vCenter "folder1" and assign "ESX Read-Only" read-only permissions to this folder, the daniel account has read-only access as expected.  The permissions set on the child object folder1 override inherited permissions.

Leaving the above permissions in place where daniel is a member of an Administrator (inherited) and Read-Only (child object) group on folder1 but with the more specific permissions on the child object taking precedence.  If I add in permission for the user daniel as Administrator on folder1, daniel now has Administrator permissions on this folder.  The user defined permissions on the object taking precedence over all the group permissions.

View solution in original post

0 Kudos
4 Replies
virtualinstall
Enthusiast
Enthusiast
‎12-11-2013 07:41 AM
Jump to solution

"Permissions defined for a child object always override the permissions that are propagated from parent objects."  Is it possible to be granted Administator permissions for that folder for your specific account, I would have thought that would work?  Rather than relying on your permissions being inherited.

0 Kudos
dec0077
Contributor
Contributor
‎12-11-2013 07:56 AM
Jump to solution

Hi,

even if i define my user as Administrator on the folder I still get the lower privileges. I also cannot elevate the second group to Administrator level, because the other users in it must not be administrators on the farm (or even just on the folder).

Regards,

Alberto M.

0 Kudos
virtualinstall
Enthusiast
Enthusiast
‎12-12-2013 01:59 AM
Jump to solution

I found this information pertaining to vCenter 4.1...

Multiple Permission Settings

If multiple group permissions are defined on the same object and the user belongs to two or more of those groups, two situations are possible:

  • If no permission is defined for the user on that object, the user is assigned the set of privileges assigned to the groups for that object.
  • If a permission is defined for the user on that object, the user's permission takes precedence over all group permissions.

I have just tested this against vCenter 5.1 and get the expected behaviour as above...

daniel is an AD account in the ESX Admins group in AD assigned to the Administrator role in vCenter.  daniel is also assigned to the ESX Read-Only AD group.  If I create a new folder in vCenter "folder1" and assign "ESX Read-Only" read-only permissions to this folder, the daniel account has read-only access as expected.  The permissions set on the child object folder1 override inherited permissions.

Leaving the above permissions in place where daniel is a member of an Administrator (inherited) and Read-Only (child object) group on folder1 but with the more specific permissions on the child object taking precedence.  If I add in permission for the user daniel as Administrator on folder1, daniel now has Administrator permissions on this folder.  The user defined permissions on the object taking precedence over all the group permissions.

0 Kudos
dec0077
Contributor
Contributor
‎12-12-2013 03:13 AM
Jump to solution

Thank you, that did it!

Now I hope nobody will say anything about having a specific user permission defined for the folder... but until then... Smiley Happy

Again Thank you.

Best Regards,

Alberto M.

0 Kudos