VMware Cloud Community
NelsonCandela
Enthusiast
Enthusiast
‎03-24-2019 03:30 AM

Minimum permission level to see VMs in a subfolder (Web Client & PowerCLI)

Hey there,

I'm struggling with the requirements to set up a user that should see (and ideally only see!) two VMs created in a subfolder of a datacenter with the Web Client and PowerCLI.

I set up a local user (vsphere.local) and tested a few things,

this is the current structure I'm dealing with:

vCenter                   Permission: read-only (not propagated to children)

  - Datacenter            Permission: read-only (not propagated to children)

    - Cluster             Permission: read-only (not propagated to children)

      - Folder            Permission: read-only (propagated to children)

        - VM              Permission: no specific permission given because of rights propagation

When logging on to the vCenter everything is fine and I see the VMs, but doing so with PowerCLI (e.g. Get-VMHost, Get-VM) do not work, the result set is always empty.

What is the minimum requirement needed for a user to be able to see only the contents of this specific folder, both with the Web Client (HTML5 or Flash) and PowerCLI?

vCenter is v6.5, PowerCLI is v6.3 (I don't recall the exact version). Anyone else experiencing this issue? Or anyone else has an idea, possibly?

Thanks!

NC

0 Kudos
4 Replies
LokeshHK
VMware Employee
VMware Employee
‎03-24-2019 06:05 AM

PowerCLI version mentioned is very old, please try with latest version. NGC seems to working correctly.

Regards

Lokesh

0 Kudos
NelsonCandela
Enthusiast
Enthusiast
‎03-25-2019 05:13 AM

Hi LokeshHK,

unfortunately, that did not solve my issue.

Also, when logging on as the SSO Admin I'm able to see all data as permitted, both old and new PowerCLI version.

So again I have to ask, what minimum permission set is required in order for a user to only see VMs in one specific folder and above that nothing else (except required items)?

Thanks

NC

0 Kudos
LokeshHK
VMware Employee
VMware Employee
‎03-25-2019 05:49 AM

Minimum permission  required to view any object in inventory is Read-Only and Permission assignment seems to be correct though but I have question. How did you manage to create Folder under cluster?

vCenter                   Permission: read-only (not propagated to children)

  - Datacenter            Permission: read-only (not propagated to children)

    - Cluster             Permission: read-only (not propagated to children)

      - Folder            Permission: read-only (propagated to children)

        - VM              Permission: no specific permission given because of rights propagation

If the Folder means resource-pool then use power-cli command like below

"Get-VM -location <folderName>"

or else

1) At Datacenter create "VM and Template" folder.

2) Put desired VM's in to that folder.

3) Grant Read-only permission on the folder with propagation true.

Regards

Lokesh

0 Kudos
NelsonCandela
Enthusiast
Enthusiast
‎03-25-2019 07:54 AM

Hi LokeshHK,

I have full access with the default SSO Administrator account, hence I created a simple VM-folder and assinged the user permissions with this Admin user.

This really is a folder, it is not a Ressource Pool.

Best regards

NC

0 Kudos