Highlighted
Enthusiast
Enthusiast

What permissions are needed to deploy from OVA/OVF

Jump to solution

Our environment is vCenter 4.1 U1 and ESXi 4.1 U1. We have a multi-tenant Lab environment where users are isolated with separate Resource Pools and separate VM, Storage, and Network folders. The users are administrators to all of these.

They want to be able to deploy OVA/OVF templates but, they get this error (attached image) at this point. I'd like to know the minimum permissions required to allow this without exposing other tenants resources.

1 Solution

Accepted Solutions
Highlighted
Virtuoso
Virtuoso

I attempted to re-create your environment in my lab. I assigned "administrator" privledges to a test user within a resource pool, network folder, VM folder, and disk folder. I then imported the OVF for CapacityIQ without any issues.

To troubleshoot further, I deleted access to the resource pool and could no longer select a host. I then restored that and removed access to the network folder, and got a specific error stating that I had no rights to a network to assign the OVF to.

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators

View solution in original post

0 Kudos
16 Replies
Highlighted
VMware Employee
VMware Employee

You can find some information in the vSphere admin guide (page 225 : Required Privileges for Common Tasks).

Don't know if it's enough for you...but with administrator privilegie i know that you do not will there problem.

*Please, don't forget the awarding points for "helpful" and/or "correct" answers. *Por favor, não esqueça de atribuir os pontos se a resposta foi útil ou resolveu o problema.* Thank you/Obrigado
0 Kudos
Highlighted
Enthusiast
Enthusiast

Thanks but I have looked at that. vCenter permissions are pretty nice but the ability to isolate users in a production environment can be cumbersome and incomplete in some cases. That's why I only do it in the Lab.

I am looking for the specific minimum permssions for OVF/OVA deployment, the levels to apply them to and whether propagation is necessary. The other requirement is the permissions can't allow visibility to other tenant resources.

0 Kudos
Highlighted
VMware Employee
VMware Employee

SET this permission in one specific host, to not propaget.

*Please, don't forget the awarding points for "helpful" and/or "correct" answers. *Por favor, não esqueça de atribuir os pontos se a resposta foi útil ou resolveu o problema.* Thank you/Obrigado
0 Kudos
Highlighted
Enthusiast
Enthusiast

Didn't understand what you were saying in your last post.

0 Kudos
Highlighted
VMware Employee
VMware Employee

to don´t use a permission in vcenter with "Propagate" to all. You can set this permission "Common Tasks" in a specific host of your Cluster.

How ? Access you enviroment, click in a specific host when a OVA will be deployed go to table Permissions > Add permission > Remove check box "Propagate to child objetcs" to restrict what user will see .

ok ?

*Please, don't forget the awarding points for "helpful" and/or "correct" answers. *Por favor, não esqueça de atribuir os pontos se a resposta foi útil ou resolveu o problema.* Thank you/Obrigado
0 Kudos
Highlighted
Enthusiast
Enthusiast

I understand how permissions work. As I said I already have a fully functioing lab with many users completely isolated from each other.

I'm sorry if I'm not being clear but, what I need are the actual permission that control OVF/OVA deploy tasks are all I need. I have looked and tried a couple but, I haven't found an example in the "Common Tasks" section that applies here.

0 Kudos
Highlighted
VMware Employee
VMware Employee

If you already have exported OVF, just click over the OVF and give permission to the virtual machine. If this OVF uses a plugin, that way the user will have full administration of the VM, but not on the plugin

too read this guide,maybe help http://www.vmware.com/vmtn/resources/826

*Please, don't forget the awarding points for "helpful" and/or "correct" answers. *Por favor, não esqueça de atribuir os pontos se a resposta foi útil ou resolveu o problema.* Thank you/Obrigado
Highlighted
Enthusiast
Enthusiast

Sorry, you're just not getting it. I appreciate your assitance but, you need to read this whole thread carefully from the beginning. I can't explain it any clearer. Look at the image I attached.

0 Kudos
Highlighted
Virtuoso
Virtuoso

I attempted to re-create your environment in my lab. I assigned "administrator" privledges to a test user within a resource pool, network folder, VM folder, and disk folder. I then imported the OVF for CapacityIQ without any issues.

To troubleshoot further, I deleted access to the resource pool and could no longer select a host. I then restored that and removed access to the network folder, and got a specific error stating that I had no rights to a network to assign the OVF to.

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators

View solution in original post

0 Kudos
Highlighted
Enthusiast
Enthusiast

It may be at Host level where permissions are lacking. I don't assign any permissions at the Host level. Users have Read at the cluster level (without propogation). However, I suspect I removed Host permissions because it gave visibility to other tenants resource pools and VMs.

You can see from the image I attached to the original post that I was attempting to choose the Cluster to deploy too. I'll look on my end but, see if you reproduce my error by removing Host specific permissions for the user. Note: I also give them read only at the DC level (no propogate)

Thanks for taking the time to re-create this.

0 Kudos
Highlighted
Enthusiast
Enthusiast

I did add Read Only (no propogate) to each Host and was able to deploy the OVF/OVA without issue.

I do remember know why I removed Host permissions. First it wasn't adding anythign I could see at the time but more importantly, originally when trying to determine whether vCenter permissions were sufficient for appropriate isolation, I was impressed to see that even certain log files at the Data Center and Cluster levels were filtered and hidden depending on permissions granted at the various other levels. Unfortunately,certain tasks/logs are visible to all regardless of permissions. So ultimately users are seeing logs and tasks for other tenants.

In this case, once Read Only is added to the Host level, additional task/logs are made visible at Data Center and Cluster levels. Also, now there is the addition of another set of tasks/logs visible at the Host level.

I recall some additional isolation deficiencies around Template Customization Specifications which could be problematic. Certainly the current level of isolation will be sufficient for most and it is certainly better than alot of multi-tenant applications out there however, for very strict separation it is not 100% possible with current releases.

Please post if I'm mistaken and you have eliminated some or all of these exeptions in your environnments.

0 Kudos
Highlighted
Virtuoso
Virtuoso

vmproteau wrote:

In this case, once Read Only is added to the Host level, additional task/logs are made visible at Data Center and Cluster levels. Also, now there is the addition of another set of tasks/logs visible at the Host level.

I recall some additional isolation deficiencies around Template Customization Specifications which could be problematic. Certainly the current level of isolation will be sufficient for most and it is certainly better than alot of multi-tenant applications out there however, for very strict separation it is not 100% possible with current releases.

Please post if I'm mistaken and you have eliminated some or all of these exeptions in your environnments.

The new logs at the DC/Cluster level should only reflect objects the user can see on objects deeper down in the tree. This is a really nice feature of the client. Smiley Happy

I'm most comfortable with the VMware Lab Manager product, as I think it is designed to do what you are trying to do. The vSphere client is mostly geared towards delegation to other parts of the business (in my opinion) rather than giving access or control to clients.

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators
Highlighted
Enthusiast
Enthusiast

Chris Wahl wrote:

The new logs at the DC/Cluster level should only reflect objects the user can see on objects deeper down in the tree. This is a really nice feature of the client. Smiley Happy

Generally this is the case but, certain tasks show up exposing VM names and user names etc.

I'm most comfortable with the VMware Lab Manager product, as I think it is designed to do what you are trying to do. The vSphere client is mostly geared towards delegation to other parts of the business (in my opinion) rather than giving access or control to clients.

I'll need to take a look at Lab Manager just to see what that looks like for a multi-tenant Lab. A little bit of overkill for our current environment but, we'll see. We'll probably end up with vCloud director or similar for self service provisioning in our production environement.

Thanks for the assistance Chris.

0 Kudos
Highlighted
Contributor
Contributor

You may have already solved this issue, but I had a similar problem. The specific permission required at the Datacenter level is under vApp "Import", I also selected "View OVF Environment. I use tiered permissons one at the Datacenter level with limited options and the other uses Resource Pool Admin which start at the cluster level. Anyway, thought I would throw my two cents in there if anyone was still looking for the specific permission.

Highlighted
Contributor
Contributor

I had the same challenge delegating OVA/OVF permissions.  We try use Folders and Resource Pools as points of delegation.

Two missing items I gathered from the article:

Datacenter level = vApp "Import" and "View OVF Environment"

The others I found in testing:

Resource Pool (or cluster) = vApp "Import" and Virtual machine > Configuration "Add new disk"

VM Folder = vApp "Export" and "Import"

I thought I'd pass it on in case it helped someone else.

0 Kudos
Highlighted
Contributor
Contributor

I just encountered this issue. I provided permissions to an AD Group to a folder. However they needed added to the Datastores and Networking as well. Once this occurred for those hosts/folder they could deploy.

Ryan

0 Kudos