We had a customer question regarding KB1020934. The customer wants to assign specific people the ability to change the portgroup of a VM, and only the portgroup. The KB article says that you must assign permissions at the Datacenter level. In my 6.7 U3 lab, I will show that you can do granular permissions at both the VM and portgroup level.
First I add a test user
Then I create a group called Network Team and add testuser to the group
Now I create a role called VM Network Admins and grant it the specific privileges as outlined in the KB article.
This screen shows that I’ve granted the permission in the following locations
- A folder called Network Team
- Distributed portgroup PG_VM_VLAN203
- Standard portgroup VLAN200
Note that the screenshot also shows standard portgroup VLAN203, I removed this permission from that portgroup but forgot to update the screenshot.
I log in as testuser. I cannot see anything in Hosts and Clusters because the user has no permissions there.
I can see the folder paths leading to folder Network Team, and I can see VMs under that folder. I cannot see any other folders or VMs.
I can’t see any storage
I can only see portgroups that I’ve been granted permissions to.
Now I try to change the VLAN for my network adapter. Note that if I don’t have permissions to whatever portgroup the VM is currently on, the dropdown box is blank.
I browse for portgroups to switch to and I’m presented with only a list of the portgroups I have permissions for (I have other portgroups in my lab)
I put the VM on VLAN 200 and it drops off the network.
Then I put it back on 203 and it works.