I created a new folder for a group of developers and gave them the "Virtual Machine Administrator" role (VC 2.01).
They seem to be able to do evertyhing they need to but one....
We have our ISO's on an NFS share which is available as a datastore in ESX. When one of the developers tries to edit the location of the ISO, the "Browse" button is greyed out and they can not do so.
It looks like the Virtual Administrator Role has all permissions except the three in the "Permissions" section which I don't beleive are relevant here.
I couldn't find any permisions on the datastores themselves. Does anyone know what permission I am missing and how to find it? Thanks!
If the priveliges seem Ok might it be an issue of where[/b] the role is given? The datastore object owns the hardware resources, could you try applying the role there to see if it makes a difference.
If it does then you might need to create a custom role for datastore access to apply to the datacenter in addition to the what you have right now.
>you might need to create a custom role for datastore access to apply to >the datacenter in addition to the what you have right now.
I tried this and then I created a new user who had no rights and they could see ALL the VM's. Granted they had no rights to access them, but I don't like that ALL VM's were visible.
Just to be clear I granted only the "Browse Datastore" permission at the Datacenter level.
There must be a way to grant browse to the datastore (for ISO's for example) without having to make every single VM visible?
Also I just noticed that doing this will force the most restrictive permission.
So for example, by doing this...all the other permissions (Virtual Machine Administrator) that were applied below the Datacenter level, were trumped and revoked!
What if you apply those rights from the datastore inventory view.
That's exactly where I applied them.
It wouldn't let me add permissions to a specific datastore, so I used the Datacenter object in the Datastore view.
I tried this and then I created a new user who had no
rights and they could see ALL the VM's. Granted they
had no rights to access them, but I don't like that
ALL VM's were visible.
You need to uncheck the Propogate option.
I have a similar issue. Give a user full administrator access to a cluster and they will be able to do everything but the datastores don't even show in VC. If I click on an ESX server, nothing appears under datastores. Similar to the original post, I don't want to give access to datastores at a higher level because I don't want them to see all of the other VMs (even if read only) that are out there. I take it this is not possible? While not the worst thing in the world, it helps that they can see the free space of the datastores from VC before creating a new VM or if they need to search for an ISO.
Norb,
The ONLY way to grant access to the datastores is to have valid permissions at the Data Center level. As long as you uncheck propagate, your users will not see all other VM's under your hosts & clusters. They'll only see those you've previously granted permissions to see.
Note: Granting Read-Only does not provide sufficient permissions to browse the datastore to find an ISO. For that, you need to grant the Browse Datastore permission. With Read-Only, users can mount ISOs, they just need to know the exact path to enter.
Regards,
J