Standalone ESX Resource Group Permissions
I have recently had the need to setup a standalone ESXi 5 server (no vCenter) with several resource groups for a lab session.
Each resource group was to be assigned a user who would be able to setup and modify VMs within that group- essentially having admin rights but only over that group. Each user should not be able to see into another user’s resource group. This turned out to be trickier than expected.
I expected the permissions on this to be quite straightforward- assign the Administrator role to the given user at the Resource Group level- however this created the situation where the vSphere Client would crash as soon as the New Virtual Machine
wizard was kicked off. Assigning Read-only permissions at the top level (not propagation) fixed this, but produced the error You do not have the privilege 'Virtual machine > Inventory > Create new' on the selected Host.
.
Adding that permission with no propagation (remember, I didn’t want to grant User A permission to make VMs in User B’s group) didn’t work and the error persisted. After a bit of fiddling around, I found the solution.
Firstly, grant the permissions to all the users (via a user group) at the top level as detailed on the VMware KB and ensure propagation is turned on. Then go to each resource group in turn and modify the properties of the user group, setting it to “No access”. The resulting permissions for the resource group show the specific user having Administrator
role and the User Group having No access
.
The final result works. Each user can see their resource group, but none of the others. The local root user can still see everybody’s resource group. It’s a fiddly workaround and I’m glad I only had a handful of users to setup- otherwise PowerCLI would probably be called into play.