VMware Cloud Community
bigusdadius
Contributor
Contributor
‎03-28-2007 08:20 AM
Jump to solution

Permissions: VC vs AD?

This may be a simple question to answer...are VC permissions least or most restrictive? To clarify, if I'm part of two AD groups...one with more permissions than the other and these two AD groups are assigned different permissions with VC...when I login what permissions do I have? Any feedback will be greatly appreciated. Thanks.

0 Kudos
1 Solution

Accepted Solutions
abaum
Hot Shot
Hot Shot
‎03-28-2007 01:25 PM
Jump to solution

Ha...great question. I went through this a few months ago. Here's what I found after some very unscientific testing:

If both AD groups are defined at the same object level (ie..datacenter or specific guest) it acts like NTFS permissions, meaning the least restrictive wins.

If the groups are defined at different object levels (ie..one is at the datacenter, the other is on a specific guest), then it's like shares and NTFS, meaning the most restrictive wins.

adam

View solution in original post

0 Kudos
5 Replies
wobbly1
Expert
Expert
‎03-28-2007 08:24 AM
Jump to solution

you have the highest level. you need to use denied permissions in VC.

i.e. to restrict access to resource groups - give access permissions to groups at datacenter level then deny access at resource group level to the groups you do not want to give access to.

abaum
Hot Shot
Hot Shot
‎03-28-2007 01:25 PM
Jump to solution

Ha...great question. I went through this a few months ago. Here's what I found after some very unscientific testing:

If both AD groups are defined at the same object level (ie..datacenter or specific guest) it acts like NTFS permissions, meaning the least restrictive wins.

If the groups are defined at different object levels (ie..one is at the datacenter, the other is on a specific guest), then it's like shares and NTFS, meaning the most restrictive wins.

adam

0 Kudos
ZMkenzie
Enthusiast
Enthusiast
‎03-28-2007 01:33 PM
Jump to solution

Here we have the same problem, we opened a ticket with vmware and they suggested us to upen a feature request thread, so, if someone is interested in this feature "sign" this:

http://www.vmware.com/community/thread.jspa?threadID=78131&tstart=0

VC uses the most restrictive permission ALWAYS when 2 permissions overlap, this is unfair because virtualcenter relies on active directory which uses different security rules.

0 Kudos
MiteeThoR
Contributor
Contributor
‎04-26-2007 08:37 AM
Jump to solution

I have noticed this same issue. You have to be VERY careful, because if you did something as simple as:

Administrators - full access

Domain Users - Read Only

You could lock yourself out with no way to get back in!!!

Of course this is a simplified example but even within my own department, I am a full VC admin and I have others who only need their own group of servers, and I am also a member of those AD groups. After I locked myself out I had to go remove myself from that AD group to get back into VC admin.

I can't believe that they implmented a security model that doesn't allow for most inclusive instead of most restricitve rights, and then tied it to Active Directory!!

0 Kudos
gogogo5
Hot Shot
Hot Shot
‎04-26-2007 08:50 AM
Jump to solution

If both AD groups are defined at the same object

level (ie..datacenter or specific guest) it acts like

NTFS permissions, meaning the least restrictive

wins.

I thought NTFS permissions at the same level i.e. on a standard folder are cumulative?

0 Kudos