VMware Cloud Community
Named_Jason
Contributor
Contributor
Jump to solution

Virtual Center Permissions - Clone but not Create

Hello everyone - I need to create a custom role in Virtual Center that has the ability to clone existing VMs but cannot create new ones from scratch (I don't want these users to be able to select which networks their machines are on, so I plan on giving them one template on each network that they should have access to and restricting their ability to change a machine's network).

Does anyone know what set of rights I should assign in order to accomplish this? I've got my role pretty drilled down, but am running into a road block. I've found that there seem to be 2 permissions associated with creating a new VM - unfortunately, they both seem to be necessary when cloning a VM as well.

Resource -> Assign VM to Resource Pool

Virtual Machine -> Inventory -> Create

My stumbling block is that these two permissions allow the creation of new VMs, but they are also needed (along with several others) in order to clone an existing VM.

For the record, I've been assigning this role on both a resource pool and a VM folder (on the Virtual Machines and Templates view). Any help or wisdom would be greatly appreciated.

0 Kudos
1 Solution

Accepted Solutions
hicksj
Virtuoso
Virtuoso
Jump to solution

You should check out the section "Example: Allowing Template Deployment to a Resource Pool" in Managing VMware Virtual Center Roles & Permissions (pg. 8, http://www.vmware.com/pdf/vi3_vc_roles.pdf)

View solution in original post

0 Kudos
8 Replies
hicksj
Virtuoso
Virtuoso
Jump to solution

You should check out the section "Example: Allowing Template Deployment to a Resource Pool" in Managing VMware Virtual Center Roles & Permissions (pg. 8, http://www.vmware.com/pdf/vi3_vc_roles.pdf)

0 Kudos
Named_Jason
Contributor
Contributor
Jump to solution

Thank you very much for linking me to that document - it had exactly the information that I needed.

0 Kudos
Named_Jason
Contributor
Contributor
Jump to solution

*double post

0 Kudos
Named_Jason
Contributor
Contributor
Jump to solution

Unfortunately, there were some subtle options that allowed the restricted user account to still create new VMs.

I've assigned permissions as detailed in that section of the document and it is very close. When I log in as my test user, I have no right-click option to create a new VM. Unfortunately, the option to create a new VM is still there on the Summary tab of the Resource Pool, and the option is available from the Virtual Machines & Templates view, should I right-click on the containing folder. Anyone else have any ideas?

0 Kudos
hicksj
Virtuoso
Virtuoso
Jump to solution

Yes, I see your frustration.

I also have a bit more specific problem with this setup...

Folks assigning this role to a Cluster (which is just a large resource pool), must have propagate checked, or they cannot complete a VM creation at period.

So with prop enabled, any users associated with the role can see all the VM's in that Cluster, not just their own. Providing the "VM > Interaction" as suggested at the Cluster allows that user then to interact with systems outside their "own" folder.

But you're using Resource Pools, so this isn't a problem. (The above is just a note to others considering this, but who are only using Clusters)[/i]

One question I have for you...

These scratch VM's that a user could create, how would they then go about setting up an operating system and actually doing anything? If you don't allow them to have access to VMFS/NFS ISO datastores (read only permissions at the Data Center instead of Browse Datastore), they shouldn't be able to do too much. Just create empty VM's, right? (They can't use client mounted CD's during boot to load an OS)

About the only problem would be creating too many bogus VM's that they fill the datastore. But they could do that with legitimate VM's too.

0 Kudos
hicksj
Virtuoso
Virtuoso
Jump to solution

FYI, this problem was resolved in VC2.0.2

Previously, Virtual Machine -> Configuration -> Add New Disk privilege was required to perform "Clone" and "Deploy from Template" operations. This is no longer the case. You cannot create a VM from scratch without the "Add New Disk" priv.

I will be covering this (and a few other role configurations) in depth during session IP33 @ VMworld next week.[/i]

0 Kudos
mddy
Contributor
Contributor
Jump to solution

I don't think the role uses are documented clearly yet. I have found that you need to grant Read-Only (non prop) rights to the Data Center to allow this, and at the host object, the role must have 'Resource - assign to resource pool' (whether you are using RPs or not) in addition to Host - create vm and the appropriate VM rights.

Hopefully in the next iternation of Virtual Center the roles will mature and be better defined.

0 Kudos
keviob
Contributor
Contributor
Jump to solution

OK done some testing and this is what i've found.

to deploy from Template the bare minimum is:-

datastore          -  Allocate, Browse
Resource          - Assign virtual machine to resource pool
VM inventory - Create from existing
VM provision  - Deploy template

to clone just change "deploy from template" to "clone"

But you might need to add some functionallity in interaction and configuration depending on your requirements.

Hope this helps?

Kevio

0 Kudos