VMware Cloud Community
Gidrakos
Hot Shot
Hot Shot
‎08-22-2019 12:14 PM
Jump to solution

VCSA 6.7 Individual Resource Pool Permissions No Longer Work

Hey everyone,

We recently upgraded to VCSA 6.7 and everything is working great except for the custom permissions I had setup.

Originally, our setup was that globally, no one besides admins had access from the top-level and that propagated to all children. I would then assign an individual resource pool role to a specified user/group which had full permissions to create/edit/delete/snapshot/etc VMs and all worked perfectly. Users would sign in and only see their individually-assigned pools. This worked because, as VMware states, the permissions hierarchy says that child objects override parent objects every time.

Upgrade to 6.7 and that no longer works. The same setup results in users, despite having the ability to create a new VM in their respective pools, no access on the server/datacenter/datastore/etc.

While the latter makes more sense (if I don't have permissions to access the datacenter my pool resides on, why should I be able to create a VM on it), that makes it impossible to limit people's view of the entire infrastructure impossible. I've been able to somewhat mimic the former permissions by painstakingly going through and assigning permissions on a per-level basis (no inheritance, all manually), but there's got to be a better way!

0 Kudos
1 Solution

Accepted Solutions
Gidrakos
Hot Shot
Hot Shot
‎08-23-2019 09:12 AM
Jump to solution

So....I've got it working but it wasn't easy. I can no longer set all these permissions at just the base level of the Resource Pool, I had to do this to get the same effect:

I had to individually assign permissions to the user like this:

vCenter:

     Datacenter: - Don't Propagate to Children

          Permissions Granted:

          Datacenter:

               Reconfigure Datacenter

          Resource Pool: Do Propagate to Children

               Permissions Granted:

               All your necessary Create VM, Assign Network, etc permissions.

     Storage:

          Datastore:

               Permissions Granted:

               Datastore: - Don't Propagate to Children

                    Allocate Space

                    Browse Datastore

     Folder: Don't Propagate to Children

          Permissions Granted:

          Host:

               Local Operations

                    Create Virtual Machine

                    Delete Virtual Machine

                    Reconfigure Virtual Machine

     Network:

          DSwitch:

               Port Group: Don't Propagate to Children

                    Permissions Granted:

                    Network

                         Assign Network

Now, I've got 4 new Roles instead of 1:

     Base Datacenter Permissions

     Base Datastore Permissions

     Base Folder Permissions

     Base Network Permissions

These have to be assigned PER USER/GROUP at each respectable level. It works, but it's definitely not as easy as previous where I could just set a single Role to have all the above permissions and apply it on a single Resource Pool.

View solution in original post

0 Kudos
2 Replies
Gidrakos
Hot Shot
Hot Shot
‎08-23-2019 09:12 AM
Jump to solution

So....I've got it working but it wasn't easy. I can no longer set all these permissions at just the base level of the Resource Pool, I had to do this to get the same effect:

I had to individually assign permissions to the user like this:

vCenter:

     Datacenter: - Don't Propagate to Children

          Permissions Granted:

          Datacenter:

               Reconfigure Datacenter

          Resource Pool: Do Propagate to Children

               Permissions Granted:

               All your necessary Create VM, Assign Network, etc permissions.

     Storage:

          Datastore:

               Permissions Granted:

               Datastore: - Don't Propagate to Children

                    Allocate Space

                    Browse Datastore

     Folder: Don't Propagate to Children

          Permissions Granted:

          Host:

               Local Operations

                    Create Virtual Machine

                    Delete Virtual Machine

                    Reconfigure Virtual Machine

     Network:

          DSwitch:

               Port Group: Don't Propagate to Children

                    Permissions Granted:

                    Network

                         Assign Network

Now, I've got 4 new Roles instead of 1:

     Base Datacenter Permissions

     Base Datastore Permissions

     Base Folder Permissions

     Base Network Permissions

These have to be assigned PER USER/GROUP at each respectable level. It works, but it's definitely not as easy as previous where I could just set a single Role to have all the above permissions and apply it on a single Resource Pool.

0 Kudos
scott28tt
VMware Employee
VMware Employee
‎11-20-2019 09:12 AM
Jump to solution

Moderator: Moved to vCenter Server


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos