Hey everyone,
We recently upgraded to VCSA 6.7 and everything is working great except for the custom permissions I had setup.
Originally, our setup was that globally, no one besides admins had access from the top-level and that propagated to all children. I would then assign an individual resource pool role to a specified user/group which had full permissions to create/edit/delete/snapshot/etc VMs and all worked perfectly. Users would sign in and only see their individually-assigned pools. This worked because, as VMware states, the permissions hierarchy says that child objects override parent objects every time.
Upgrade to 6.7 and that no longer works. The same setup results in users, despite having the ability to create a new VM in their respective pools, no access on the server/datacenter/datastore/etc.
While the latter makes more sense (if I don't have permissions to access the datacenter my pool resides on, why should I be able to create a VM on it), that makes it impossible to limit people's view of the entire infrastructure impossible. I've been able to somewhat mimic the former permissions by painstakingly going through and assigning permissions on a per-level basis (no inheritance, all manually), but there's got to be a better way!
So....I've got it working but it wasn't easy. I can no longer set all these permissions at just the base level of the Resource Pool, I had to do this to get the same effect:
I had to individually assign permissions to the user like this:
vCenter:
Datacenter: - Don't Propagate to Children
Permissions Granted:
Datacenter:
Reconfigure Datacenter
Resource Pool: Do Propagate to Children
Permissions Granted:
All your necessary Create VM, Assign Network, etc permissions.
Storage:
Datastore:
Permissions Granted:
Datastore: - Don't Propagate to Children
Allocate Space
Browse Datastore
Folder: Don't Propagate to Children
Permissions Granted:
Host:
Local Operations
Create Virtual Machine
Delete Virtual Machine
Reconfigure Virtual Machine
Network:
DSwitch:
Port Group: Don't Propagate to Children
Permissions Granted:
Network
Assign Network
Now, I've got 4 new Roles instead of 1:
Base Datacenter Permissions
Base Datastore Permissions
Base Folder Permissions
Base Network Permissions
These have to be assigned PER USER/GROUP at each respectable level. It works, but it's definitely not as easy as previous where I could just set a single Role to have all the above permissions and apply it on a single Resource Pool.
So....I've got it working but it wasn't easy. I can no longer set all these permissions at just the base level of the Resource Pool, I had to do this to get the same effect:
I had to individually assign permissions to the user like this:
vCenter:
Datacenter: - Don't Propagate to Children
Permissions Granted:
Datacenter:
Reconfigure Datacenter
Resource Pool: Do Propagate to Children
Permissions Granted:
All your necessary Create VM, Assign Network, etc permissions.
Storage:
Datastore:
Permissions Granted:
Datastore: - Don't Propagate to Children
Allocate Space
Browse Datastore
Folder: Don't Propagate to Children
Permissions Granted:
Host:
Local Operations
Create Virtual Machine
Delete Virtual Machine
Reconfigure Virtual Machine
Network:
DSwitch:
Port Group: Don't Propagate to Children
Permissions Granted:
Network
Assign Network
Now, I've got 4 new Roles instead of 1:
Base Datacenter Permissions
Base Datastore Permissions
Base Folder Permissions
Base Network Permissions
These have to be assigned PER USER/GROUP at each respectable level. It works, but it's definitely not as easy as previous where I could just set a single Role to have all the above permissions and apply it on a single Resource Pool.
Moderator: Moved to vCenter Server