I have a subset of admins to take care of specific VMs. The role created to give them access to the VM allows them to power off and power on the VMs. However, if we are doing some maintenance in the cluster and set the DRS to Manual and one of those admins tries to power on a VM, they do not get the expected "Host Recommendations for VMNAME" popup window where they can select the host to power the VM on. In fact, they do not get anything - not even an error.
What permission(s) do I need to add to the role to allow them to select a host to power on the VM? I tried 'Resource -> Apply recommendation,' but that didn't help.
On a related note, has anyone put together a detailed list of what actions require what permissions? VMware has fallen down hard, when it comes to documenting this. It was bad enough when they weren't documented in vCenter Server 2.5. It got worse with vCenter Server 4.0. And it's no better with vCenter Server 5.
I mean, someone in VMware had to define these permissions in the first place. Can't they simply just document what they are limiting? Hello? VMware? Really??
-Jeff
AFAIK only in 5.0U1 this bug is fixed. But i'm not sure.
http://www.vmware.com/support/vsphere5/doc/vsp_vc50_u1_rel_notes.html
Glad i found this topic.
We are experiencing the same issue with vCenter 5.0 U2 - Build 913577 (Link).
i created a folder under "VMs and Templates" and added a security group with the role "Administrator". People in this group cannot power on VMs. i tried this with a single account as well. Same thing. An event is created, but that's all there is. No DRS Popup.
Funny thing is: Users from a different security group which has the role "Administrator" in the highest hierarchy get the popup and can power on VMs.
Edit: just did some more testing. If i set permissions on the folder, no popup appears, if i set permissions on the VM itself, no popup appears. Setting the permission on the whole cluster on the other hand seems to work.
Edit2: Found another thread with the same issue: click.
Anyone else experiencing this? Any ideas?
Message was edited by: NealSu - reason: further testing, added link to other thread with same issue
I understand this topic is over a year old, but I just ran into this issue myself, and wanted to share what I was able to do to resolve it.
We are running vCenter 5.1, and have DRS set to manual. We have a small cluster of two hosts on which the VMs run. When logged in as big bad Administrator, powering on a VM results in a dialog box for choosing which host to run the VM. However, we have lesser-privileged users that were given power on/power off privileges to specific VMs, but upon attempting to power on a VM, the dialog box did not appear, and the VM never turned on.
I found that the permission needed for this activity is Virtual Machine > Interaction > Power On. Most likely, the Power Off, Suspend, and Reset permissions would also be desired, but I don't think they apply to this specific issue.
To resolve this issue, I found that permissions had to be set in 3 places:
1) VM itself
2) Hosts that will run the VM
3) Datacenter where VM resides
The first one is easy. The other two are tricky because if you set those privileges that high up, they will by default propagate down through the whole tree, and the users will potentially have those privileges for every VM, instead of just the specific ones they were supposed to work with. Also, I initially set propagating permissions on the cluster itself, which worked. But when I changed it to only apply to the cluster (no propagation), it broke. That's when I discovered that I needed to set the non-propagating permission not on the cluster, but on the hosts in the cluster.
Anyway, in summary, here is what I did:
1) Created a new role and gave that role the Power On, Power Off, Suspend, and Reset permissions.
2) Gave my users this role for the VMs they needed to play with
3) Gave my users this role for each individual host in the cluster - no propagation (this was done under Hosts and Clusters)
4) Gave my users this role for the applicable Datacenter - no propagation
It is admittedly a little hokie, since I don't like having to manage what essentially amounts to a single permission in 3 different places. However, it definitely works for my purposes. Hope this is helpful for you and anyone else that comes searching for this same problem.
Thanks,
Doug
Thanks Doug, this is precisely the issue that I was facing as this cluster was set to manual DRS mode. Users were attempting to power on VMs, but it looks like they were unable to get the DRS pop up prompting which host to power onto. Setting the permissions on the cluster as you described worked first time.
Many thanks!
Regards,
Marty
Worked for me only after I added the same permissions on the cluster level.
1. Create role as Doug mentioned above.
2. Assign permission to appropriate VM(s).
3. Assign permission to each host, no propagation.
4. Assign permission to cluster, no propagation.
5. Assign permission to Datatcenter, no propagation.
Thank you a lot, Doug!
Regards,
Varvara
Hi,
Please create a role of VM machine user and assign to vCenter specific folder.
Please go through the below URL
Manage Access Control for VMware Roles and Permissions
VMware vSphere 4 - ESX and vCenter Server
Thanks
