I see that, but I am having issues with the user in that group being able to create with in that particular group.

I have a VC environment where I have several SA's and I would like each group to only have access to thier folder and be able to admin just that one folder. The other group would have access to the other folder

Maybe I am not understanding your questions but it sounds like you need multiple groups... When you have the multiple groups you will assign the permissions to each resource pool and its repective group... i.e.

Group: ResourcePoolA-Admins

Users: bobby; joe; etc..

Permissions assigned to ResourcePoolA

Group: ResourcePoolB-Admins

Users: mary; shelly; etc...

Permissions assigned to ResourcePoolB

and so on....

Let me know if you are looking for something else because I have been playing with permissions all day

I have a resource group called Linux and I cloned the group Resource Administrators and added person a to that group, I then assigned that group to the resource group called Linux at that level only. Person A can login and see the folder and create only a typical server, it gets hung up at the HOST/CLUSTER level in the create VM wizard.

the goal is to create a group that has access and visability to the only resouce group folder I assign them too. I want them to be able to create typical and custom VM's within the confines of that resource group. I do not want them to be able to modify the resource group resources.

Cloning the role is a good idea then... Just modify the permissions for the cloned group to match your goals.

As far as you previous post. It sounds as iif you may have another problem. Have you tried this on a non-clustered host?

my lab is nothing more than 2 ESX servers, the wizard fails when I get to the host/cluster part and you need to choose the root level to install at. If you can start building a VM and watch the screen for that prompt

++

Here is a screen shot of where my wizard hangs up

let me see if I can summarize a bit

In VC I have resource pools that I view using VC and "Hosts and Clusters" view

The resource pool is called Linux Lab and I have VM's in that pool

I want a role that is only capable of using this resource pool to create and manage VM's

I'd like to also restrict them to not modifying the pool in the sense of adding resources to the pool.

Keep in mind also that there are two different ACLs in VC.. One is for Virtual Machines and Templates the other is for hosts and clusters...

You will need to create a folder under VMs and Templates and grant VM Administrator to the group.. Afterwards you can grant permissions on the resource pool as the cloned Resource Pool Administrator with modified rights so they cannot modify the resource allocations.

Once this is done when they create the VM they will need to choose the folder you have granted permissions on in the Hosts and Clusters to place the VM In.. Any other option will not allow them to move forward.

I am in training all day today but will be happy to get into more details if you still have problems.

Help me help you by scoring points...

You will require a role to be assigned to the resource pool, under the Hosts & Clusters inventory view. You can also assign this same role to your folder under the Folders & Template view.

You then require a THIRD permission to be granted. The users must have (at least) the Read-Only role (No Propagate) assigned at the Data Center. To assign a VM during creation, the user must have permissions to select a Folder to store the VM under, along with permissions to see what Data Stores are available. Without the third permission you'll get hung up at the next step in the VM creation sequence.

I have ran through this very scenario in my lab with no read-only permissions for the user in question or the group that I am assigning to the role. This proves true if you grant permissions to an object (say a VM) for a user. You will be able to see the data center and nodes leading to the object yet you will not be able to modify or manipulate the parent objects in VC.

In my lab I have done the following.. Create a resource group in Hosts and Clusters and Grant permissions to a Group I have assigned to the Resource Admins Role... Move to VMs and Templates and create a folder granting the Group VM Admin rights on the folder.. During creationg I even create a parent folder called Folder1 to SubFolderB where the permssions are granted and no permissions are assigned.

i.e....

Datacenter (no permissions)

Folder1 -- (no perms)

SubFolderB -- (VM Admins)

When creating VMs I start at the Resource Pool in Hosts and Clusters then browse to SubFolderB when asked where to place my VM and viola! VM created.

Help me help you by scoring points...

> I have ran through this very scenario in my lab with no read-only permissions for the user in question or the group that I am assigning to the role. This proves true if you grant permissions to an object (say a VM) for a user. You will be able to see the data center and nodes leading to the object yet you will not be able to modify or manipulate the parent objects in VC.

That's correct. You do not need rights at a higher level to view/access object you've been granted permissions to.

> When creating VMs I start at the Resource Pool in Hosts and Clusters then browse to SubFolderB when asked where to place my VM and viola! VM created.

Something has then changed in the permissions configuration. This was not always the case.

Something has definitely changed in the permissions structure. Following guidelines for "minimum permissions" (i.e. not using the default roles, but custom roles with only those privileges that should be required to create VM's, and in my case only from a template), creating a VM is not allowed without RO at the Data Center.

In VC2.0.2, the VI Client throws an exception in the "Deploy Template Wizard" when it switches to the Datastore view. The error states "Permission to perform this operation was denied." However, you can hit the "Continue" option and you're allowed to select a Datastore. Another error is thrown at the end of the wizard and ultimately the process fails. In VC2.0.1, the deployment wizard would not even continue past the Datastore option, as there would be no datastores listed to select without RO at the Datacenter.

There must be some "backdoor" that gets opened by using a combination of permissions at both the Folder & Resource levels, providing access to the Datacenter level. I'm curious what specific privilege(s) trigger this backdoor.

Message was edited by: hicksj

If the original poster is using custom roles, there may be the absence of whatever specific combination triggers access to the datastore list. And therefore they would require privs at the Data Center.

Is it possible to assign a role directly to an AD domain group? Just built our VMVC2.5 system, was trying to assign a role to a domain group that required access. Wasn't until I built a local group on the server and then made that domain group a member of that server that I was able to log on via the Virtual Infrastructure Client and/or the Web interface. Is this by default or have I screwed up my installation somewhere?

Thanks in advance.

Derek