Problems with StorageCluster Permissions when chan...

spauer · ‎12-22-2011

Hi all

vsphere client 5.0.0 Build 455964

vCenter Server 5.0.0 Build 455964

ESXi 5.0.0 VMKernel Release Build 515841

I created a datastore Cluster within in folder. Propagate permissions.

I put all available datasore in this storage cluster.

Now I clone a VM and tried to change the network adapter connection.

There I get the error message

Permission denied.....

Call "StorageResourceManager.ConfigureStorageDrsForPod" for object "StorageResource...

When I put the datasores out of the cluster back to folder, every is ok. I can set the settings after i cloned a VM

Is there any help?

StefanSkold · ‎01-11-2012

Does your user/usergroup have the following permission?

"Configure a datastore cluster"

/Stefan

sstaples · ‎01-12-2012

I have the exact same problem with cloning or creating new vm's. I had a support call with VMware and the end result was to begin modifying user permissions until I get it correct. That said, this problem does not happen with Administrator permission from top of vCenter down the vSphere stack.

Storage DRS view:

Trying to edit settings after VM framework initially created:

Error message:

Work around: With my current user permissions (Faculty/Staff/Student Users - Not Administrator down the stack) I can avoid this error simply by selecting "Edit the virtual machine settings before completion". However, if user forgets to check this box on the initial creation of the VM, later they will not be able to edit their work and are unhappy. Understandable!

Conclusion: I believe the problem is the creation of the VM framework wants to processes through the "Placement Recommendations" for recommending datastores for the virtual machine when using Storage DRS. I simply select "Apply recommendation" when asked.

VMware help: I need to find the elusive permission setting to avoid having to check "Edit the virtual machine settings before completion" before I get a lot of unhappy uses who try to edit their VM setting in the future and forgot to check this option.

EdWilts · ‎02-27-2012

Was a resolution for this ever identified? We're having the same problem...

It doesn't make sense to me that guest admins need to have the permission to configure datastore clusters.

.../Ed (VCP4, VCP5)

sstaples · ‎02-27-2012

Yes - Still the same problem and I have not found the key permission on vCenter stack to fix yet. My work around as/when needed - when users log in and use vCenter Web Client 5.0 vs vCenter vSphere client and create/clone VM's, obviously both access methods have same user permission, the problem never occurs. Lastly, my Active Directory group permissions set on the cluster storage hierachy often times removes itself and I have to add AD groups back to the storage cluster of vCenter.

Best

EdWilts · ‎02-27-2012

Yes - Still the same problem and I have not found the key permission on vCenter stack to fix yet. My work around as/when needed - when users log in and use vCenter Web Client 5.0 vs vCenter vSphere client and create/clone VM's, obviously both access methods have same user permission, the problem never occurs. Lastly, my Active Directory group permissions set on the cluster storage hierachy often times removes itself and I have to add AD groups back to the storage cluster of vCenter.

Thanks for the info on using the web client - we're trying to push our admins to use that anyway.

Fro the permissions removing themselves, see this KB: http://kb.vmware.com/kb/2008326 - it might be what you're seeing.

.../Ed (VCP4, VCP5)

sstaples · ‎02-28-2012

Thank you for the point to the KB. That is exactly the problem. Unfortunately, I use multiple datastore clusters such as research and instruction and user have access to either or both depending if a student of researcher or both. Applying permissions at the datastore level and propagating down into each of the datastore clusters would not be a work around in my environment.

I am pleased it is acknowledged by VMware as a bug, and I am not crazy! Thank again for the pointer....

Ike10 · ‎04-26-2012

Has anyone found a solution to the original problem. Many of my users who need to make edits to the vm's configuration are getting this problem.

JMSAdmin · ‎01-24-2013

Hello,

I have the same issue. Any resolution identified yet other than using the Web client? Thx

saxonww · ‎02-11-2013

This is still an issue with 5.1.0 build 947673. We upgraded recently from 4.1U2 Enterprise -> 5.1.0 Enterprise Plus and migrated to a distributed switch and storage clusters at the same time. VMs with old snapshots have invalid network config and have to be updated post-revert. Users who just have a virtual machine administrator role cannot do this themselves, as they receive this StorageResourceManager.ConfigureStorageDrsForPod error.

RonanM · ‎02-12-2013

Hi,

I know this thread may be a bit old, but as this issue is still active I just wanted to post a link to a Knowledge Base Article and the two suggested workarounds:

http://kb.vmware.com/kb/2013820

Resolution

This is a known issue affecting VMware vCenter Server 5.0.x. and VMware vCenter Server 5.1 and is currently being reviewed by VMware. This article will be updated as information becomes available.

To workaround this issue, try one of these options:

Assign the Configure a datastore cluster permission to the user account on the Datastore Cluster where the virtual machine resides.
As a user with the Administrator role, select Edit Settings on the virtual machine for which the non-administrative user cannot edit the settings. Do not make any changes, but click OK. This change allows the non-administrative user to edit the virtual machine's configuration.

StefanSkold · ‎02-12-2013

Isn't that first workaround exactly what I suggested over a year ago?

/Stefan

larsupilami · ‎03-29-2013

just some additional info's from my site and what I learned today and yesterday when dealing with the problem:

I have just been facing the exact same problem. Also I don't like the solutions to provide configure Datastore Cluster rights to users who just should be allowed to deploy VM I have to deal with it. As I wanted the minimum rights I didn`t assign the Role to the vCenter or Datacenter and propagate it down to everything. I just assign it to the needed objects (host cluster, SDRS cluster, Folders, networks). And that is what I learned:

When you have got SDRS clusters where people need to deploy VMs you have to use the "configure datastore cluster" permission in your role. And this role needs to be assigned to at datacenter level with propagation. When you now want to start hiding several points by assigning No access role to the same users make sure the no access role is not assigned to any cluster that i configured to use the needed SDRS cluster.

Summary:

Role with "configure datastore cluster" needs to be assigned to:

- Datacenter with propagate

- Don`t use No Access role on any All Host clusters that have access to the needed SDRS cluster

If you are adding to much No access rules or do not propagate the role you will face the following problem for all VM created with limited rights:

http://vkoolaid.blogspot.de/2011/12/you-do-not-hold-privilege-system-read.html

I am using vSphere 5.0 so the webclient is no option as it has limited functionality, also tried that way.

vmstoani · ‎03-29-2013

bb

All

Problems with StorageCluster Permissions when changing VM settings

Resolution