A few days ago I had some trouble giving role permissions for specific operations in VMware vSphere environment that I administrate. I’ve found out an important property of vSphere folder structure while solving these problems:
- I would give a set of datastores to our backup administrators for restore operations. They already have propagated read-only permissions from the root of vCenter server. I’ve reserved three datastores, put them in a folder in Datastore view and given necessary propagated permissions to this particular folder explicitly for provisioning of restored VMs. They said they couldn’t do a single restore. It was giving error about the permissions. First I thought built-in read-only permissions override my explicit setting.
- For a second case; I would give permission to VMs under a specific folder for OS administators:
- console control, power operations,
- complete control on vmnic,
- change between the VLANs (port groups) that I preconfigured in vSwitch.
They could do all except for the last one. They couldn’t see any vSwitch port groups inside the drop-down menu in vmnic tab. But why? They had the permissions required, mentioned in this article. After several tries, I made it work only when I defined these permissions in another role and assigned this propagated role to them from the root of vCenter server.
I wondered that there is an issue about the propagation and permissions from the root of vCenter server. Until one day, when I hit something while writing a script in PowerCLI:
Types!!! Should have known that! I had googled it but all I could find was general idea about vSphere permissions.
First of all I’ve created a folder in “VMs and Templates” view for the backup admins and assigned the same role to this folder with the “Datastore” RESTORE folder. Because they need permissions on VMs also. I’ve told them to try to restore only in this “VM” RESTORE folder. They’ve succeeded. Bingo, first problem solved!
Then I’ve created a “Network” folder in Network view and put the port groups I defined in. I’ve assigned the same permissions to this “Network” folder with the OS Admin “VM” folder. They could see the VLANs afterwards even I deleted the work-around permissions from the root of vCenter server.
You see, these folders have types according to the views they are created in. If you need any more complex permissions, you must take this into account. It becomes crystal clear after getting the main idea and with a little research: “Create a Folder”
Sorry that I can’t share my environment’s screenshots :/ But happy to help with any questions through comments 🙂