I’ve been trying to wrap my head around this for some time now and I just can’t figure out how to make it work the way I would like. I am being asked to set up the proper permissions to allow our software developers to create/modify/delete virtual machines within our production esxi cluster. I have this part configured. The part I am struggling with is restricting this access to a certain area (within a folder or resource pool etc) – not the entire cluster or datacenter.
I have a custom role set up that has what appears to be the proper permissions – but I feel like I can’t get this correct because of where the permissions need to be applied.
Datastore: Allocate space, Browse datastore, Update virtual machine files, Update virtual machine metadata, Host: Local operations > Create virtual machine, Delete virtual machine, Reconfigure virtual machine Network: Assign network Resource: Assign virtual machine to resource pool, Migrate powered off virtual machine, Migrate powered on virtual machine Virtual Machine: Change Configuration (All) Virtual Machine: Edit Inventory > Create new, Remove, Unregister Virtual Machine: Interaction Virtual Machine: Provisioning > Modify customization specification, Read customization specification Virtual Machine: Snapshot Management (All)
I am feeling like I need to move the datastores that they are authorized to use into a folder, and set a specific permission on that folder for a datastore role. Same for networks. Once I hit the host level I start to question my thoughts. If I grant Create Virtual Machine permission at the Host level (or Cluster, or DataCenter) this would allow creating a vm across the entire ESXi cluster, correct?
In addition to that – I feel like having to create specific roles / permissions for the datastore layer, network layer, resource layer, vm layer, and host layer seems like a lot of complexity for what I am trying to accomplish.
Again, if I set the above permissions at the Datacenter level and propagate to children, this role is able to perform all of the functions needed for their job. However, they also have permission to do more than needed.
How do I go about restricting this?