5

Restrict Users and Groups to Resource Pools

Restrict Users to Resource Pools

 

With the speed and simplicity of virtualization, it’s no wonder more and more people want in! Administrators have traditionally been responsible for deploying virtual workloads for an organization. However, in some cases, they may want to remove themselves from the provisioning process and give that power to the users themselves.

Say for example you work for a small software company where budgets are tight and resources are limited. Your developers need many virtual machines spun up throughout the day and can’t usually wait for an administrator to handle their requests. You could build them their own vCenter with a bunch of hosts, but what if you don’t have the money or hardware to spare?

One answer could be resource pools. A resource pool is simply a logical unit of compute and memory resources. They can be used to guarantee and/or limit resources for a group of virtual machines.

New Resource Pool

How exactly do you restrict users and groups to resource pools?

Since a resource pool is a vCenter object, it is possible to delegate users and groups to a pool. This means that they would only have the ability to create virtual machines within their assigned pool. Think of it as a private cloud within a private cloud. Yo dawg!

Yo Dawg I Heard You Like Private Clouds

 

This seems pretty straightforward so far, but here’s where things get a little more complicated. Permissions! Admittedly, I struggle a bit with vCenter Permissions. Trying to configure them just right is often like trying to solve a puzzle and it may take some trial and error before you finally solve it. Our example of resource pools makes for a pretty complicated entertaining puzzle.

At first, it might appear that granting a group administrative rights to a resource pool would take care of everything.

Pool Administrator

 

However, upon further testing you discover that it’s just not that easy.

Cannot Deploy VM

 

This diagram shows the minimum permissions needed in order to create a new VM or deploy one from a template.

PermissionsDiagram

Note: These are the minimum permissions needed to deploy a VM. You will need to add further permissions to be able to perform other tasks such a removing a VM or taking snapshots.

As you can see, we need to set permissions on four objects within our vCenter, except that permissions cannot be directly applied to an object but roles can. Bear in mind that a role is just a collection of permissions. This may seem a bit convoluted, but it really helps keep things manageable by being able to take a look at a role like “administrator” and see who is assigned those permissions for an object. This is especially helpful when many roles are used. For example, have you ever seen a Windows share with hundreds of users or groups assigned different permissions? If so, then you’ll know how challenging it can be to identify who has full access vs. who has read only.

Today, we’re just going to configure the minimum permissions needed to create and deploy virtual machines to a resource pool. These permissions likely won’t be comprehensive for your users, so you may need to modify them to fit their needs. For a full list of permissions that are available in vCenter, take a look at the vSphere Security Guide and flip to section 10 – Defined Privileges.

Since we’re applying different permissions to four different vCenter objects, that means we’ll need four Roles. I’m going to name my roles based on the department name, Dev, and the vCenter object to which it’s assigned. Name your roles in a way that is most appropriate for you.

Dev – Datacenter

This role needs permission to create new virtual machines and create from existing (for templates or clones). These permissions should propagate to child objects. You could either apply this to all child objects or specific clusters or hosts as well as the resource pool.

Virtual Machine –> Inventory –> Create from existing

Virtual Machine –> Inventory –> Create new

Dev – Network

This role will need permission to attach a switch or port group(s) to a virtual machine. Applying this permission to a switch will allow users to assign any of the switch’s port groups. If you’d like to restrict a group to specific vLAN’s then assign this role to the appropriate port groups. It’s also worth noting that permissions cannot be set for virtual distributed switches, but can be set for their port groups. This permission should propagate to child objects if setting at the switch level or higher.

Network –> Assign network

Dev – Datastore

A resource pool is a great way to limit CPU and memory but has no control over storage. We limit storage by granting permissions to specific datastores. This permission could also be applied to datastore clusters or data centers. This permission should propagate to child objects if applied to datastore clusters or higher level objects.

Datastore –> Allocate space

Dev – Pool

Lastly, we need to be able to deploy and configure our virtual machines within a specific resource pool. These permissions should propagate to child objects.

Resource –> Assign virtual machine to resource pool

Virtual Machine –> Configuration –> Add existing disk

Virtual Machine –> Configuration –> Add new disk

Virtual Machine –> Configuration –> Add or remove device

 

Assign each of these roles to their respected objects and assign your user groups to these roles. Upon successful completion of this task, your users will only be able to consume resources from their designated resource pools. At first, it may seem like something’s wrong because when a user logs in, they can see more than their resource pool.

vCenter as a Resource Pool User

 

That’s because there’s no easy way to hide these objects. But don’t worry, they don’t have permissions to do anything with objects outside their resource pool.

Cannot power off VM

 

The problem is that this can make things a bit clunky for your users because they can see more objects than they can use. For example, when you create a new VM, the console might show you all available datastores. However, due to how our permissions are configured, you can only create a VM within the assigned datastore(s).

Cannot deploy VM to Datastore

 

Deploy VM to datastore

 

The same goes for the network.

Cannot connect to network

Attach Network

 

It’s not 100% perfect, but vCenter does a good job of telling a user when they’re trying to consume a resource they don’t have permission to use. It just means you’ll have to do your part in educating your users or let them use a bit of trial and error to sort it out. Either way, once they’ve successfully navigated the VM deployment process, they’ll be up and running with their brand new virtual machine!

New VM deployed in pool

Matt Bradford

5 Comments

  1. I share you pain. I have a QA team and a support team that each needed discreet access to their respective pools. I have a slightly more restricted configuration than you, but certain things don’t work in turn. VMware seriously needs to take a lesson from Microsoft on how to handle and manage ACL’s. The whole vCenter permissions scheme is a total mess.

    It gets even muddier if that user needs access to more than one resource pool. Honestly, the thought of it makes me want to huddle in a corner.

    We also have another issue, which is our ESXi hosts management network resides on a locked down subnet. Our staff can’t console to VM’s at the moment because of the network ACL’s. We thought the console traffic would proxy through vCenter, but we thought wrong. Ultimately a direct connect to the host. Kind of disappointing IMO.

    Anyway, thanks for this, I might give your way a shot to see if it relieves some of the pain in exchange for them seeing a little more than they should.

  2. Thanks for this very helpful article. However I have an issue. I have set permission on a specific Vlan in a distributed switch so I can only assign this Vlan. When creating a new VM I can only select this Vlan – all others tell me I have “no permission to assign this network”. So far, so good. But now after selecting this particular Vlan as soon as I click on next I get that very same message for this Vlan I was able to select succesfully and cannot continue. Do you know how to solve this? Btw. I already added the assign network permission on the DC level (without propagation) and the Resource Pool level. I also tried the same but with propagation on DC level but this enables me to select any network. Thanks for your help.

  3. Well, I figured it out myself accidentally. We have a lot of Vlans so the Vlan I wanted to assign was not in the dropdown list and I had to click on …”show more networks”. Here could select (only) the desired Vlan and it was then shown in the configuration page. As already told above after clicking next I received the error “no permission to assign this network”. To solve this I had to select one of the forbidden networks from the dropdown list and afterwards the desired Vlan again (which now is in the dropdown list directly). Clicking next. All good. Btw. We are running 6.5 U1.

  4. Hi There! I’ve found your post very usefull. But indeed i’ve front a very weird situation…. I’ve a cluster with 2 resource pools.
    In resource pool A one group is admin and everithing seems ok… the users on the group could make vms clone, modify vhard, etc,etc… But they could not poweron vms!!! Long story short, with DRS you will need to assign at datacenter level (no propagate), cluster level(no propagate), even host level (if there are more than one resource pool in the same cluster and you don’t want users from group A see vms for resource pool B) *Virtual Machine/Interaction/Answer Question* with that permission users was able to poweron vms. I think that’s because with not automatic DRS you have a question about where do you want to power on this vm.. I hope this helps…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.