Restricting where vm’s can be created

This post was originally published on this site

Hello all,


I’ve been trying to wrap my head around this for some time now and I just can’t figure out how to make it work the way I would like.  I am being asked to set up the proper permissions to allow our software developers to create/modify/delete virtual machines within our production esxi cluster.  I have this part configured.  The part I am struggling with is restricting this access to a certain area (within a folder or  resource pool etc) – not the entire cluster or datacenter.


I have a custom role set up that has what appears to be the proper permissions – but I feel like I can’t get this correct because of where the permissions need to be applied. 

Datastore: Allocate space, Browse datastore, Update virtual machine files, Update virtual machine metadata, 
Host: Local operations > Create virtual machine, Delete virtual machine, Reconfigure virtual machine
Network: Assign network
Resource: Assign virtual machine to resource pool, Migrate powered off virtual machine, Migrate powered on virtual machine
Virtual Machine: Change Configuration (All)
Virtual Machine: Edit Inventory > Create new, Remove, Unregister
Virtual Machine: Interaction 
Virtual Machine: Provisioning > Modify customization specification, Read customization specification
Virtual Machine: Snapshot Management (All)


I am feeling like I need to move the datastores that they are authorized to use into a folder, and set a specific permission on that folder for a datastore role.  Same for networks.  Once I hit the host level I start to question my thoughts.  If I grant Create Virtual Machine permission at the Host level (or Cluster, or DataCenter) this would allow creating a vm across the entire ESXi cluster, correct?


In addition to that – I feel like having to create specific roles / permissions for the datastore layer, network layer, resource layer, vm layer, and host layer seems like a lot of complexity for what I am trying to accomplish. 


Again, if I set the above permissions at the Datacenter level and propagate to children, this role is able to perform all of the functions needed for their job.  However, they also have permission to do more than needed. 


How do I go about restricting this?



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.