Problem with admin rights

andi303 · ‎07-31-2009

Hello all,

I have the following problem:

I've defined a "Virtual MachinUser" role on a specfic VM. This role is granted to a group in my Active Directory. I am the admin of the vCenterServer AND a member of this user group. So, when I'm accessing this VM, I only gain the (lower) rights of this group. On all other VMs which are not connected with an AD group, I gain normal admin rights.

Is there any solution for this? Some option like "always grant higher rights"?

Thanks in advance,

Andreas

davver · ‎07-31-2009

Hi,

You allways gain the lowest rights.

But when you have admin rights; why you need to be part of the group with lower rights if you need higher rights? ?:|

grtz.

Regards, Davy

andi303 · ‎07-31-2009

Hi,

I'm only admin for the vCenter Server machine, not the AD...

davver · ‎07-31-2009

i think you have to work with the local groups of your vcenter server. Not with AD groups.

Regards, Davy

andi303 · ‎07-31-2009

Yes, that's my current workaround. I'm using the local sysadmin account for administrative tasks in vCenter Server. However, It's not the best solution.

Thanks for your help,

Andreas

hicksj · ‎07-31-2009

I believe there is a solution... As you are aware, the effective permissions are determined by proximity. In this case, you have an assignment at the VM which is overriding your admin privileges that trickle down to the object.

However, multiple group assignments directly on an object are a union if the user is a member of both groups. So, all you need to do is assign your administrator group privileges directly (replacing the inherited rights that are already listed) at the VM. Then you will recieve the combined set of permissions.

Note: Only group assignments are unioned. Assignments made directly to users will override any group assignments - so, another option would be to assign yourself admin privs directly at the VM... but, I would stick to groups whenever possible.

All

Problem with admin rights