VMware Cloud Community
cseasholtz
Contributor
Contributor
‎05-06-2020 08:16 PM

Network Permissions Do Not Propagate

Hello!

I am trying to set up an environment for my students using the ESXi and VCSA 6.7 from VMAP. I have everything done, except for the networking. I have set up a Distributed Switch and individual Distributed Port Groups for each class. I have created a role with that allows students to assign networks, but when I create a new permission, assign the role to the Distributed Switch, and check the box for Propagate to children, it doesn't propagate. The newly assigned permissions show up on the switch, but not on any of the associated port groups.

Permissions propagate for folders, resource pools, and datastores, so I feel like I am missing something because it isn't working for networks. Is that working as intended or is it a bug? Has anyone come across this and have a solution?

Edit: I downloaded and performed a clean install of VCSA 7 to see if it solved the problem, but it didn't.

Preview file
54 KB
Preview file
53 KB
10 Replies
scott28tt
VMware Employee
VMware Employee
‎05-12-2020 02:41 PM

One of these may help:

Network Privileges

dvPort Group Privileges


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos
Tiloois77
Contributor
Contributor
‎02-11-2022 02:06 AM

I have the same problem, if you apply "No Access" permission at vDS level, it is not propagated to portgroups.

Permissions hierarchy says that PG is below vDS but this hierarchy is not working.

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-03B36057-B38C-479...

Tags (1)
0 Kudos
mkfmevntm
Contributor
Contributor
‎06-27-2022 05:22 AM

@scott28tt that doesn't help.

Does anyone know if this is a known problem at vmware? We're experiencing the same on the latest vCenter version 7.0U3e

0 Kudos
scott28tt
VMware Employee
VMware Employee
‎06-27-2022 05:39 AM

@mkfmevntm 
I have no idea, if you check my signature I'm here on the forums the same as any other user, I don't have any magical connections to those who would be able to answer your question.

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos
mkfmevntm
Contributor
Contributor
‎06-27-2022 05:53 AM

sorry I didn't notice your signature and thought you were from tech support or similar.

the second line of my post was also more addressed to other users, maybe someone already had an SR for this

0 Kudos
R_Brightwell
Enthusiast
Enthusiast
‎01-17-2023 07:46 AM

I've run into this issue now as well.  Distributed switch security doesn't seem to propagate to the vdPort groups, even when the Propagate to Children box is checked. I've tested this in a sandbox environment with a fresh VC installed and it behaves the same way.

0 Kudos
lappies123
Contributor
Contributor
‎03-07-2023 09:08 PM

I had the same issue, the work around was to create a network folder and move the distributed switch into the folder, then apply the permissions on the folder and have it propogate. That should ensure the permissions propogate to your distributed switch and port groups.

cknudtso
Contributor
Contributor
‎05-09-2023 08:48 AM

Looks like this problem has persisted for some time now.  I'm experiencing the same problem.  Has anyone found a solution?

0 Kudos
jomahoney
VMware Employee
VMware Employee
‎07-27-2023 06:11 AM

This occurs because the relationship between distributed switch and portgroup is not a direct parent-child relationship as can be seen from the managed object browser of the vCenter Server i.e. both are child objects of the parent 'network' folder.

From https://<vc_fqdn>/mob if you browse to 'content -> rootFolder -> childEntity (select relevant datacenter) -> networkFolder' you can see that childType is Folder, Network and DistributedVirtualSwitch so they are all child objects of the parent folder rather than each other.

The workaround is as mentioned above to
1. Create a new network folder
2. Move the vDS inside this new network folder.
3. Add permission at network folder level with box "Propagate to children" checked

R_Brightwell
Enthusiast
Enthusiast
‎07-27-2023 06:23 AM

That makes sense then.  Thanks for your response.

0 Kudos