VMware Cloud Community
Sharantyr3
Enthusiast
Enthusiast

vcenter tags permissions

Hello there,

I know vcenter way of handling permissions is really weird (I'm being nice) but I can't get it to work correctly with tags...

From what I understand, users need the assign tag permission on vcenter level but then are able to edit tags on any objects... Even objects where they have specific role "read only" they still can add or remove tag on this object.

There is also an option to "add permission" on categories and tags, but you can't display thoses "added" permissions and still does not correct the main problem : if a user has right to assign/remove a tag on an object, it has right to do so on any object.

The use case is we have Veeam and use tags to select which VMs are being backed up. We have different teams and each team have its own VMs.

It is not acceptable that member of Team A can modify tags of VMs belonging to Team B.

But I don't find a way to do so, if anyone could give me some hints about that...

Thanks !

Reply
0 Kudos
4 Replies
dave012345
Enthusiast
Enthusiast

You would have to create distinct groups with explicit deny for the specific objects you want to block out.

VMware vSphere 6.5 Documentation Library

Reply
0 Kudos
Sharantyr3
Enthusiast
Enthusiast

I know this, but this is completly ugly and nonsense in terms of security. You don't "deny" rights, you "grant" rights. This is the correct way of doing things.

When you have "read-only" permission on an object, you should not be able to modify tags associated to it.

But anyway I don't understand the ability to give permissions on a tag/category but you can't see those granted permissions.

This permission system is broken Smiley Sad

Reply
0 Kudos
LokeshHK
VMware Employee
VMware Employee

Hi ,

"users need to assign tag permission on vcenter level but then are able to edit tags on any objects"

what do you mean by this?

are you trying to assign "Tagging admin role at VC level" and "ReadOnly" role at object level?

typically tagging permission has to be defined at global permission level .

Regards

Lokesh

Reply
0 Kudos
Sharantyr3
Enthusiast
Enthusiast

"users need to assign tag permission on vcenter level but then are able to edit tags on any objects"

I mean for users to be able to apply TAGs on VMs, they need the "Assign or Unassign vSphere Tag" permission set on the vcenter level (no heritance). But then, they can change tags on any VMs, even those he has "read only" access.

With vcenter 6.7, I see now a change in permission behavior with TAGs.

Now, a user with the  "Assign or Unassign vSphere Tag" permission can't assign a TAG on a VM on which he has read only role.

BUT, the user can still unassign a TAG from a VM on which he has read only role.

Reply
0 Kudos