VMware Cloud Community
juchestyle
Commander
Commander
‎04-06-2017 09:21 AM

Permissions for a user to change network settings

I know this should be easy but when I set these permissions the user can't see the DISTRIBUTED SWITCH options in edit settings for VM's.

Enabling the vCenter Server permissions required to modify virtual machine network settings (1020934)

Purpose

This article provides steps to enable the vCenter Server permissions required to modify virtual machine network settings.

Resolution

To modify virtual machine network settings, you require these permissions:

  • Network > Assign Network
  • Virtual Machine > Configuration > Modify device settings
  • Virtual Machine > Configuration > Settings
To enable these permissions:
  1. Connect vSphere Client to vCenter Server.
  2. Click Home.
  3. Click Roles.
  4. To create a new user role, right-click on a blank area and select Add.
  5. Enter a name, For example, VM Network Admin.
  6. Expand Network and select Assign network.
  7. Expand Virtual Machine > Configuration, select Modify device settings and Settings.
  8. Click OK.
  9. Add permission for this user at the datacenter level and assign the role to this user.

Suggestions?

Kaizen!
Reply
5 Replies
bayupw
Leadership
Leadership
‎04-08-2017 12:42 PM

Hi what is your requirement?
For a user to change network settings of a VM or for user to change Distributed Switch configuration?

I've tried the same settings and the user is able to change the network settings of a VM selecting a Distributed Switch PortGroup

Make sure to assign the user permission at the ​Datacenter​ level

pastedImage_0.png

pastedImage_1.png

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
Idaho
Contributor
Contributor
‎07-18-2018 02:32 PM

I am having this same issue and would love to find a resolution.  I have assigned the necessary permissions at the VM and VDS level using a folder, I do not want to assign at the datacenter level because it would give the users permissions on too many VM's, not just the ones we are interested in effecting.

Reply
0 Kudos
Idaho
Contributor
Contributor
‎07-18-2018 02:34 PM

Assigning at the datacenter level should not be a requirement.  Vsphere explicitly states that VDS permissions can be assigned at the datacenter level or a folder containing the VDS.  We need to do the latter to limit permissions to a subset of our VMs.

Reply
0 Kudos
bayupw
Leadership
Leadership
‎07-18-2018 07:11 PM

The KB says:

9. Add permission for this user at the datacenter level and assign the role to this user.

I haven't tried assigning permission on the folder level, but as a workaround you can still assign on datacenter level then assign 'No Access' on other folder for that user/user group or other VMs so the user/user group would only see the VMs without 'No Access'

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
warnox
Enthusiast
Enthusiast
‎07-27-2018 10:36 AM

BIt of an old post but I've just come across this situation and had a bit of a play around with it.

Assuming the user has permissions to modify the VM...

1. If the user also has access to just the portGroup or a Network Folder ('assign network' permissions), they will be able to add a new network adapter and select the desired portGroup.

2. If the user also has access to just the portGroup or a Network Folder ('assign network' permissions), they will not be able to modify an existing network adapter and assign it to a different port group. For this to work, the user needs read-only access to the host (or cluster) where the VM is located.

I guess the process of modifying a network adapter must query the host to see which portGroups it can access, while adding a new network adapter does not. The KB suggests giving access at the Datacenter level, which would in turn give access to the Cluster/Host.

Hope this is of some use.

Reply