vsphere roles and rights
Как раздать права на Resource Pool, так что бы пользователи могли создавать машины только в своем Пуле.
1.Roles
1.1 Created role for VM administration (Virtual Machine Administrator) with all priveleges from "Virtual machine"
1.2 Created role for VM administration and resource pool administration (Virtual Machine Administrator and Resource Pool Consumer) with all privileges from "Virtual machine" and "Resource.Assign virtual machine to resource pool" privilege.
1.3 Created role for VM creation (Virtual Machine Creator) with "Virtual machine.Inventory.Create new" privilege.
1.4 Created role for datastore use (Datastore Consumer) with "Datastore.Allocate Space" and "Datastore.Browse Datastore" privileges
1.5 Created role for network use (Network Consumer) with "Network.Assign network"
You can combine 1.4 and 1.5 in one role found my solution a bit complex =).
2.Users
2.1 User1 (controls resource pool "u1")
2.2 User2 (controls resource pool "u2")
3.Groups (both users from "2" are members of all groups from below)
3.1 esxusers - just to break some limitations
3.2 dstorecons - datastores consumers
3.3 netcons - network consumers
Then I granted next permissions
On ESX host (all permissions with "propagate" option enabled)
dstorecons - Datastore Consumer
netcons - Network Consumer
esxusers - Virtual Machine Creator
On common resource pool (no specific permissions - all inherited from ESX host)
On User1's resource pool - u1
User1 - Virtual Machine Administrator and Resource Pool Consumer - with propagate option
esxusers - No access
And the same on User2's resource pool with exception to username.
Детали - http://pubs.vmware.com/vsp40u1_i/wwhelp/wwhimpl/js/html/wwhelp.htm#href=admin/r_required_privileges_for_common_tasks.html
1.Roles
1.1 Created role for VM administration (Virtual Machine Administrator) with all priveleges from "Virtual machine"
1.2 Created role for VM administration and resource pool administration (Virtual Machine Administrator and Resource Pool Consumer) with all privileges from "Virtual machine" and "Resource.Assign virtual machine to resource pool" privilege.
1.3 Created role for VM creation (Virtual Machine Creator) with "Virtual machine.Inventory.Create new" privilege.
1.4 Created role for datastore use (Datastore Consumer) with "Datastore.Allocate Space" and "Datastore.Browse Datastore" privileges
1.5 Created role for network use (Network Consumer) with "Network.Assign network"
You can combine 1.4 and 1.5 in one role found my solution a bit complex =).
2.Users
2.1 User1 (controls resource pool "u1")
2.2 User2 (controls resource pool "u2")
3.Groups (both users from "2" are members of all groups from below)
3.1 esxusers - just to break some limitations
3.2 dstorecons - datastores consumers
3.3 netcons - network consumers
Then I granted next permissions
On ESX host (all permissions with "propagate" option enabled)
dstorecons - Datastore Consumer
netcons - Network Consumer
esxusers - Virtual Machine Creator
On common resource pool (no specific permissions - all inherited from ESX host)
On User1's resource pool - u1
User1 - Virtual Machine Administrator and Resource Pool Consumer - with propagate option
esxusers - No access
And the same on User2's resource pool with exception to username.
Детали - http://pubs.vmware.com/vsp40u1_i/wwhelp/wwhimpl/js/html/wwhelp.htm#href=admin/r_required_privileges_for_common_tasks.html