Wednesday, April 27, 2016

Lowest level of the permission heirarchy for Content Library.

When assigning a user the Content Library administrator role, what is the lowest level of the permission heirarchy that this role can be granted to the user and still allow them to create a Content Library? What if Content Libraries are not visible.

What is a possible solution?

Apply at the global permission level.  Assign the user the read-only role at the global permission level.


vSphere objects inherit permissions from a parent object in the hierarchy. Content libraries work in the context of a single vCenter Server instance. However, content libraries are not direct children of a vCenter Server system from an inventory perspective.
The direct parent for content libraries is the global root. This means that if you set a permission at a vCenter Server level and propagate it to the children objects, the permission applies to data centers, folders, clusters, hosts, virtual machines, and so on, but does not apply to the content libraries that you see and operate with in this vCenter Server instance. To assign a permission on a content library, an Administrator must grant the permission to the user as a global permission. Global permissions support assigning privileges across solutions from a global root object.
The figure illustrates the inventory hierarchy and the paths by which permissions can propagate.

vSphere Inventory Hierarchy






Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies.
Each solution has a root object in its own object hierarchy. The global root object acts as a parent object to each solution object. You can assign global permissions to users or groups, and decide on the role for each user or group. The role determines the set of privileges. You can assign a predefined role or create custom roles. See Using Roles to Assign Privileges. It is important to distinguish between vCenter Server permissions and global permissions.

vCenter Serverpermissions

In most cases, you apply a permission to a vCenter Server inventory object such as an ESXi host or a virtual machine. When you do, you specify that a user or group has a set of privileges, called a role, on the object.

Global permissions

Global permissions give a user or group privileges to view or manage all objects in each of the inventory hierarchies in your deployment.

If you assign a global and do not select Propagate, the users or groups associated with this permission do not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles.

You can use global permissions to give a user or group privileges for all objects in all inventory hierarchies in your deployment.

Use global permissions with care. Verify that you really want to assign permissions to all objects in all inventory hierarchies.
To perform this task, you must have .Permissions.Modify permission privileges on the root object for all inventory hierarchies.

1

Click Administration and select Global Permissions in the Access Control area.
2

Click Manage, and click the Add permission icon.
3

Identify the user or group that will have the privileges defined by the selected role.

a

From the Domain drop-down menu, select the domain where the user or group is located.
b

Type a name in the Search box or select a name from the list.
The system searches user names, group names, and descriptions.
c

Select the user or group and click Add.
The name is added to either the Users or Groups list.
d

(Optional) Click Check Names to verify that the user or group exists in the identity source.
e

Click OK.
4

Select a role from the Assigned Role drop-down menu.
The roles that are assigned to the object appear in the menu. The privileges contained in the role are listed in the section below the role title.
For the issue above assign the user the read-only role.  
5

Leave the Propagate to children check box selected in most cases.
If you assign a global and do not select Propagate, the users or groups associated with this permission do not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles.
6

Click OK.



No comments:

Post a Comment