This may be a simple question to answer...are VC permissions least or most restrictive? To clarify, if I'm part of two AD groups...one with more permissions than the other and these two AD groups are assigned different permissions with VC...when I login what permissions do I have? Any feedback will be greatly appreciated. Thanks.
Ha...great question. I went through this a few months ago. Here's what I found after some very unscientific testing:
If both AD groups are defined at the same object level (ie..datacenter or specific guest) it acts like NTFS permissions, meaning the least restrictive wins.
If the groups are defined at different object levels (ie..one is at the datacenter, the other is on a specific guest), then it's like shares and NTFS, meaning the most restrictive wins.
adam
you have the highest level. you need to use denied permissions in VC.
i.e. to restrict access to resource groups - give access permissions to groups at datacenter level then deny access at resource group level to the groups you do not want to give access to.
Ha...great question. I went through this a few months ago. Here's what I found after some very unscientific testing:
If both AD groups are defined at the same object level (ie..datacenter or specific guest) it acts like NTFS permissions, meaning the least restrictive wins.
If the groups are defined at different object levels (ie..one is at the datacenter, the other is on a specific guest), then it's like shares and NTFS, meaning the most restrictive wins.
adam
Here we have the same problem, we opened a ticket with vmware and they suggested us to upen a feature request thread, so, if someone is interested in this feature "sign" this:
http://www.vmware.com/community/thread.jspa?threadID=78131&tstart=0
VC uses the most restrictive permission ALWAYS when 2 permissions overlap, this is unfair because virtualcenter relies on active directory which uses different security rules.
I have noticed this same issue. You have to be VERY careful, because if you did something as simple as:
Administrators - full access
Domain Users - Read Only
You could lock yourself out with no way to get back in!!!
Of course this is a simplified example but even within my own department, I am a full VC admin and I have others who only need their own group of servers, and I am also a member of those AD groups. After I locked myself out I had to go remove myself from that AD group to get back into VC admin.
I can't believe that they implmented a security model that doesn't allow for most inclusive instead of most restricitve rights, and then tied it to Active Directory!!
If both AD groups are defined at the same object
level (ie..datacenter or specific guest) it acts like
NTFS permissions, meaning the least restrictive
wins.
I thought NTFS permissions at the same level i.e. on a standard folder are cumulative?