Currently, the DRS Clusters in our development lab consist of machines belonging to multiple teams.
The original Lab Admin grouped the ESX Servers according to machine model number (presumably to facilitate easier vMotion i.e. sans Enhanced vMotion Compatibility). Thus, ESX Servers from different teams belong to the same clusters.
The Lab Owner would like me to make permissions as granular as possible so that non-admins will be able to create\delete, migrate, and power on\off the VMs that belong to their respective teams, only.
The following list comprises the permissions that I’m assigning at the various levels of the vCenter hierarchy (still a WIP):
– Datastore Consumer permissions on the assigned Datastores to assign storage to a new VM.
– Migrate permissions at the Cluster level to perform vMotion, Storage vMotion, and Cold Migrate
– Inventory permissions at the Datacenter level to add new VMs to inventory
– Administrator permissions on the assigned ESX Servers
So far, users with these permissions can create VMs, but cannot see a listing of the VMs. I have not had much time to work on the final touches of the granular security, but I will be getting back to it soon, and I will post a follow-up Blog article.
Plan “B” will be to advise the Lab Owner to re-design the clusters on a “per-team” basis so that, for example, Cluster 1 comprises the ESX servers that belong to the UI Team only, Cluster 2 only contains the Database Team’s ESX servers, etc. However, I will continue to work on the permissions puzzle for a little bit longer before making that suggestion.
One of my upcoming blog posts will feature another video to show the steps for setting up vMotion in your VMware Workstation Home Lab.
Thanks for stopping by and Happy VM’ing