I was just troubleshooting a problem with permissions and roles at a customer site within vCenter. For some weird reason we could not create a VM. I hardly ever use this functionality and if I do it’s mostly on a “Hosts & Clusters” level.
This customer wanted to set permissions on a “HA-DRS” Cluster level. Each cluster will be administered by a different group of admins. These admins should not be allowed to do any administrative tasks on one of the other clusters in vCenter. Half of the setup worked, as in the admins could do certain tasks on the ESX hosts, but there was no way they could create VM’s.
I’ve browsed through my documentation but couldn’t find anything useful but luckily VI:OPS contained an excellent document on this topic: VI3 Roles and Permissions.
I did a copy and paste of the information that clarified the problem we were facing:
VMs appear in the inventory in two places: under the “Virtual Machines and Templates” view and the “Hosts and Clusters” view. This is also reflected in their privilege inheritance: VMs inherit privileges from both the containing host/cluster object as well as the containing VM/Template folder. Under Hosts and Clusters, possible containing objects include: folders, clusters, hosts, and resource pools. The two views and hierarchies become unified at the top level datacenter (or any folder that contains the datacenter)
Certain tasks require privileges on both sides of the hierarchy. For example, to create a VM, you need to have the “VM > Inventory > Create” privilege on a VM folder (in the VM view) as well as “Resource > Assign VM to Resource Pool” somewhere on an object in the Host view (folder, cluster, host, or resource pool). If you have a role which contains both these privileges, and you assign it at the datacenter level, it will propogate down both sides of the hierarchy. If, however, you want to limit its scope, then you’d need to apply it separately to individual subsections on each side of the hierarchy.
In other words, creating VM’s requires permissions on both levels “Datacenter” and “Cluster”.
Arnim says
When I set the create_VM permissions in the “Virtual Machines and Templates” view it implies in my opinion that I also want to give the appropriate permissions on the resource pool. Why do I still have to set these permissions seperately?
These Permissions and Roles have given me a headache many times. There is also no Inheritance at a lower level if I give other permissions to the same user or group. So I need to create another role just to give some other permissions. In my opinion there’s still room for improvement here.
Virgil says
If you want to control delegation of permissions with more granularity than “read only” and “all access” the roles and permissions are actually quite powerful.
Hosts and Clusters view is for assigning permissions to roles for controlling CAPACITY on the CLUSTER.
Virtual Machines and Templates view, with effective use of folders is for delegating permission across ALL DATACENTERS.
ie a customer/department with capacity allocations (resource pools) across multiple VI3 clusters. Permissions assigned to a folder in the VM&T view would apply to all VMs on all clusters.
There’s a nice blog entry here that might help too: http://www.jeremypries.com/?p=104