Enthusiast
Enthusiast

Roles and permissions conflict

Hi,

on a vCenter 4.1 update1 I assigned an AD group of users the "Virtual Machine Power User" rights on the vCenter top level.

I than assigned a specific AD user administrator rights on the same top level. This user is a member of that group.

I would expect the user has administrator rights but that user only has the Virtual Machine Power User right!

I would expect that roles assigned to a specific user would take precedence but they don't....

How did I solve this? I deleted the role assignment to that user on the vCenter top level and gave him the administrator role on the datacenter level, just below the vCenter level.

Because lower assigned roles take precedence, I almost have what I want....

Is this a bug?

the guide here

http://www.vmware.com/pdf/vsphere4/r40/vsp_40_admin_guide.pdf

says that roles explicitly set to a user should take precedence but in their example the rights are less on the user than on the group.

VMware seems to use a "least privilige" system that is too strict.

I would hope that assigning a user a role with more rights on the same level than where the group from which he is a member, would give him the highest rights, but it's not that way :'(

Anyone found a way to make this work?

0 Kudos
0 Replies