Enabling the vCenter Server permissions required to modify virtual machine network settings

We had a customer question regarding KB1020934. The customer wants to assign specific people the ability to change the portgroup of a VM, and only the portgroup. The KB article says that you must assign permissions at the Datacenter level. In my 6.7 U3 lab, I will show that you can do granular permissions at both the VM and portgroup level.

First I add a test user

Then I create a group called Network Team and add testuser to the group

Now I create a role called VM Network Admins and grant it the specific privileges as outlined in the KB article.

This screen shows that I’ve granted the permission in the following locations

  • A folder called Network Team
  • Distributed portgroup PG_VM_VLAN203
  • Standard portgroup VLAN200

Note that the screenshot also shows standard portgroup VLAN203, I removed this permission from that portgroup but forgot to update the screenshot.

I log in as testuser. I cannot see anything in Hosts and Clusters because the user has no permissions there.

I can see the folder paths leading to folder Network Team, and I can see VMs under that folder. I cannot see any other folders or VMs.

I can’t see any storage

I can only see portgroups that I’ve been granted permissions to.

Now I try to change the VLAN for my network adapter. Note that if I don’t have permissions to whatever portgroup the VM is currently on, the dropdown box is blank.

I browse for portgroups to switch to and I’m presented with only a list of the portgroups I have permissions for (I have other portgroups in my lab)

I put the VM on VLAN 200 and it drops off the network.


Then I put it back on 203 and it works.


Leave a Reply

Your email address will not be published. Required fields are marked *