Trouble with permissions and roles

dourtyb · ‎03-13-2008

I'm trying to limit access to vm's based on local groups and am having a heck of a time. I've created the following local groups on the VC host.

VC Admins

Team 1

Team 2

Team 1 and Team 2 have members assigned via an AD group. They are local groups on the VC server but don't have individual AD users in them. Make sense?

I want to give VC admins full rights while giving team 1 and team 2 rights to a folder and subfolders defined in the "Virtual Machines and Tempaltes" view. They need to be able to power on/off the VM's, make and apply snapshots, and upgrade vm tools. If I define Team 1 with VM Power User Role at the folder level they are not able to start the VM. They have the option in the menu but when they click power on it does nothing. Logged in as an admin I see the message that they initialized a power on, but they never get the dialog to pick what host to start it on. Do I need to assign some other permission at the host level?

Thanks,

Brian D.

mike_laspina · ‎03-13-2008

Hello,

What version of VC and ESX are you running.

You have AD, you should create the groups there not on the local system.

http://blog.laspina.ca/ vExpert 2009

dourtyb · ‎03-13-2008

Virtual Center 2.5/ESX 3.5. Team 1 and Team 2 are each made up of multiple AD groups.

dourtyb · ‎03-13-2008

By adding "Read Only" access to the "Datacenter" for TEAM 1 I am now able to start/stop VM's and take/remove snapshots logged in as a member of TEAM 1. I can't mount an ISO or the cd drive from the virtual center client machine. I get a permission denied logged in as a member of TEAM 1. Any ideas?

Thanks,

Brian

mike_laspina · ‎03-13-2008

Ok,

There is an issue with perms in VC for CDRom connections. You need to create a addtional permission assignment at the Host and Clusters level.

Create a new role named ReadAndConnect from a cloning of the ReadOnly role.

Set the perms as follows.

Virtual Machine->Interaction->Device Connect

Assign the role to the team 1 group at the Host and Clusters level and do not propagate it.

This should clear the CD issue and you may not need the other readonly perm that was set earlier.

http://blog.laspina.ca/ vExpert 2009

vmware12 · ‎03-13-2008

Hmm...that bug sucks. We are running VC 2.5 build 64192. It looks like build 64201 is available. Any idea if this bug is fixed in the new build?

I still have to give TEAM1 read-only access with propagation at the datacenter level. Otherwise they can't start/stop etc...Doing so allows them to view all VM's on the ESX host and I'd prefer they only see VM's they have control over.

Thanks for all your help.

Brian

mike_laspina · ‎03-13-2008

I think the start stop issue may be related. Try adding start/stop to the ReadAndConnect role and see if it changes, again no propagation as well.

http://blog.laspina.ca/ vExpert 2009

vmware12 · ‎03-13-2008

Nope. I just tried adding the other "Interaction" permissions to the "Read-And-Connect" role I created. Didn't work. It seems that it needs to be propagated. I'll open a case with VM Support tomorrow and see if I can get anything useful out of them.

Brian

hicksj · ‎03-14-2008

You have AD, you should create the groups there not on the local system.

Especially if the original poster has a multi-domain forest (amongst several other reasons), its a really good idea to use local groups. Recently discussed this in the last post here: http://communities.vmware.com/message/871478

Wow... Sounds like a lot of folks have recently run into this CDROM mount issue. All of a sudden we've seen a ton of posts on this.

On the "Power On" issue, are you using DRS with the cluster? If DRS is set to manual, you may be experiencing the same issue seen in this thread: http://communities.vmware.com/message/883105

Regards

vmware12 · ‎03-14-2008

Yep, DRS in manual mode. I'll try the partially automated method as suggested in the linked thread.

Brian