Here is an interesting little obstacle we ran into when setting up our virtualization environment.
We found that when we were in VMware VirtualCenter, we can add permissions via the inventory datastore & networks view but once we did that there was no easy way to view or delete the permissions within the same view. You need to go back and navigate the hosts/clusters view, one at a time, in order to view where these permissions showed up and if necessary delete/modify them one at a time as well, or check where that role is applied within the administration/roles view.
While this might work for small environments or for a couple of administrators, it absolutely wouldn’t work for large environments with hundreds of hosts or thousands of virtual machines or a complex resources structure with complex storage. Or what about environments with multiple administrators? One administrator makes a change to permissions, but the next administrator has no idea and a change to permissions here cascades through and impacts all VMs in that datacenter. Sounds like a good way to shoot yourself in the foot!
So is this a design flaw? Was the point of the “Add Permissions” feature for datastores and networks to prevent users from getting to those datastores/networks? Or was it to maybe give the appearance of ACL functionality? Or something like a poor man’s quota management? And if you’re going to let administrators add permissions in a view, why not let them view and delete just as in the other views?
Does anyone know why this feature is even available here for datastores and networks in VirtualCenter without really taking the feature all the way? Maybe I’m not seeing the forest for the trees at the moment but if you know or have used this, please do share…
