I have figured out that I can use the default power and media role, then set browse datastore. While I cannot get the "browse" button ungreyed, I can have them type in the "esxserv:storage1 NameoftheISO.iso" data and they can mount the CD. This will be ok, but if anyone has ever had to cross this bridge I would be interested in getting more tips on limiting users without giving up things I dont want to give up.
I assume you're assigning that role to the VM or a Folder of VM's. To "enable" the Browse button, create a new role. Add the "Browse Datastore" privilege only. (Note: you may not even need any privileges set - you can test that too...) Assign your users this new role at the parent Data Center. Make sure to uncheck Propagate.
The reason being that datastores are child objects of the Data Center. Adding permissions there allows your users to see the datastore objects.
Ill try that again but when I did that, it negated the lower level vm permssions and they lost contact. It was as if the new datastore browser only rul was overridden by the higher level rule, which acted like a deny statement as well.
ok, re-reading, the uncheck propogate might have been what got in my way.
I'd like to follow through on this a bit, because I still have the problem, sort of. I am using VSphere, and I tried the solution, which was to grant the user the right to browse the data store at the datacenter level, and to uncheck propagate. If I uncheck propagate, the setting has no effect. It doesn't matter if I assign that role again at the folder the users machines are in, and select propagate at that level either. I must check propagate to the permission at the DataCenter level in order for the user to be able to browse for and select .iso files from the Datastore.
The problem with this is, that it means any user I assign to that group, can see my entire infrastructure. They cant DO anything because the only right they have is browse datastores. But because it's assigned at the datacenter level, they can see all the folders, all the machines, see performance metrics and so on. That's not the way it should be. It's a workaround at best. So what's a better way?
to the specific datastore you want the user to have access to, add permission and choose the "datastore access" you created earlier