VMware Cloud Community
sfortuna74
Contributor
Contributor
‎07-20-2011 01:06 PM

User role does not apply properly

Hello -

I have an issue that has me completely stumped - and it is as follows.  Within our vCenter folder structure, we have a folder that is dedicated to one application team.  I have created a role that will allow that team to create and manage vms, and the role is applied to the user accounts of four people.

When three of the team members log in with the vSphere client, they see all folders in vCenter and are able to perform job functions in line with the configured permissions - as designed.  When the "fourth" user logs in with the vSphere client, he sees only the folder which he has access to, and is not able to perform all administrative functions associated with the role - one being he is not able to enumerate datastores when attempting to add a disk.
What's more confusing is that I added his "non administrative" account to the role, had him log in to the vSphere client with those credentials -but the same problem appears - he seems only one folder, and cannot perform all the functions associated with the role.
I am completely exasperated, and would be extraordinarily thankful if anyone could provides some help.

Thanks so much in advance -

Steve

0 Kudos
6 Replies
MindTheGreg
Enthusiast
Enthusiast
‎07-20-2011 01:10 PM

The final permissions that are applied are the most restrictive. Check the other security groups that he is a part of and I'll bet he is a member of a group with less privileges. I'd make a test account and put it in all the same groups and see if you have the same problem. What's different about that one guys account as compared to the other 3?

Good luck!

Set-Annotation -CustomAttribute "The Impossible" -Value "Done and that makes us mighty"
0 Kudos
sfortuna74
Contributor
Contributor
‎07-20-2011 01:12 PM

Thanks for the feedback - I have checked on this - and he is not part of any groups with restrictive permissions.  We do not have any permissions set up for "deny" access anywhere in our vCenter, and I've also looked at his "Member Of" in Active Directory.. nothing there stands out..  But your logic does make sense and I will re-check my work.

0 Kudos
MindTheGreg
Enthusiast
Enthusiast
‎07-20-2011 01:21 PM

Found the KB:

vSphere Client options are disabled for users with full administrative rights to vCenter Server

http://kb.vmware.com/kb/1019457

You may already know this, but it's not like active directory where you get all the permissions added together unless there is a deny. Instead you get a subtraction.

If these are my permissions:

U/G----------------------Role------------------Defined In

Username             Administrator     something

Username             User                  something

I will be a user and not an administrator.

Set-Annotation -CustomAttribute "The Impossible" -Value "Done and that makes us mighty"
0 Kudos
hicksj
Virtuoso
Virtuoso
‎07-21-2011 11:56 AM

The key here is propogation and where permissions are actually assigned.

If you assign a role with limited permissions for a user at an object, it will override whatever permission for that user that propagated from its parent.  Similarly, if you assign a role with greater privileges at a child object, that role will win.  The KB article and so many posts before this have been poorly worded.  Its not "most restrictive wins," its "proximity wins."

Furthermore, if you assign two different roles to the same user at the same object, the effective rights will be a union.  The only assignment that always wins is a deny.  However, (sticking with assignments to the same object), if one assignment is made via group and the other assignment is made to a user account (which is a member of that group), the effective permissions are those from the role assigned directly to the user account.

0 Kudos
MindTheGreg
Enthusiast
Enthusiast
‎07-21-2011 12:08 PM

Thank you for clearing that up! I learned something.

Set-Annotation -CustomAttribute "The Impossible" -Value "Done and that makes us mighty"
0 Kudos
hicksj
Virtuoso
Virtuoso
‎07-21-2011 12:23 PM

I just posted feedback to the KB article you listed... I'm curious if I'll get a response, and I hope they adjust it.  (Assuming I'm correct)  The article is somewhat correct, but only if you read that document strictly concerning "Admin rights at root getting overriden at a child object" - other than that, I believe it is misleading when applied to other scenarios.

Edit:  Sorry to the OP, I'm not sure any of my above comments actually help them though.  So lets try to get to the bottom of this...

I guess the question to start is, are the role assignments being made to Groups or directly to Users?  If Groups, is the user a member of another group where you've assigned permissions at a child object?  Have you made the appropriate assignments for that user in both the Hosts & Clusters view as well as the VMs & Templates view?  (for example, for a user to successfully create VMs, they must have create privs at a Folder object, not just at a resource pool.)

0 Kudos