Hello,

Is it possible to give a user full access to one ESX server in a datacenter but no access to the other server in the datacenter? If this is possible what role is applicable? Thanks.

Yaw

Hello,

Please ignore my previous post, I found a solution for my environment.

Yaw

Yes it is = A couple ways of doing this - First off you need to decide what type of role you want to grant to the user and pair the user with the role to the host - or create a group with users and then to remove access set the user to no access because apply permission to a user take precednce over group permissions -

Thanks. What I did do was move one server to a new datacenter. I couldn't figure out how to give complete users access to one server in a datacenter while users had no access to the other server. The problem I kept having was when I gave the users full access to one server on the ESX server level they could not create new VM's since datastore access was on the datacenter level. If I wanted how could I implement the latter?

Yaw

They need read-only access at the datacenter level, and make sure to turn off propagate. As long as they can see the datastore, and they have access at the host level, you should be good to go.

-KjB

Hello KjB,

I tested out what you suggested. By giving read-only access at the datacenter level (non-propagated) and administrator access at the ESX host level (propagated) on a account. With this account it does not allow me to create vm's. Am I missing something?

yaw

Are you creating the vm inside of a resource pool? Is the server part of a cluster? I would add the permission on the resource pool or folder you want the user to have access to.

-KjB

No KjB there's no resource pool and the two ESX hosts are not in a cluster just in the same datacenter. To be as specific as possible, I right-clicked on the datacenter added permissions as read-only (non-propagate) and right-clicked on the ESX host added permisions as administrator (propagate) for the one user account, per your instructions above. Perhaps I'm executing something incorrectly?

yaw

Ok, when you view the permission at the host level, do you see the correct role for the user you just added, and does the 'defined in' section state this object?

-KjB

Yes, I see 'Administrator' which what I want for the role on the host object and it shows 'this object' under defined in.

yaw

It is likely that your problem is the user doesn't have permissions to "store" that VM in any folders. You need to provide permissions to both the resource under "Host & Clusters" and folder in "Virtual Machines & Templates" (again, see the diagram linked in my original response)

Regards,

J

I agree with hicksj. Go to the folder under the virtual machines & templates view, and make sure the permission for the user on the folder you want to store in has the same "administrator" role shown. Otherwise, add the correct permission there as well. This is my one big complaint about VC permissions, and I've had to come up with complex permission sets, especially when users exist in multiple groups.

-KjB

My thanks to kjb007 & hicksj for your help.

yaw