Hey,
thank you in advance to everyone who has the patience to read all this, but I think it is necessary to understand the scenario.
We have a problem with our vSphere 6.0 U2 environment concerning the permissions that are necessary to be able to clone a vm to a template and create a vm from a template. Maybe we have a special usage scenario that is not so common, but what we do worked out with vSphere 5.5 that we were using untill some weeks ago.
We are a small datacenter with several departments. Every department has its own ressource pool in our vSphere cluster. Within their ressource pools users (departments) are able to use all typical vSphere featuers like create/delete virtual machines, do snapshot and create templates from vm and vice versa directly by using vSphere Client. To be able to do that every department has been assigned permissions to ressource pools, datastores, vm-folders and port groups. In that configuration every user has the maximum functionality, but is still seperated from other users and we are able to control resource usage by configuring shares and limits on departments resource pools. As I said, it all worked fine with vSphere 5.5.
To clone to a template you need the following privileges:
- Virtual machine.Provisioning.Create template from virtual machine on the source virtual machine.
- Virtual machine .Inventory.Create from existing on virtual machine folder where the template is created.
- Resource.Assign virtual machine to resource pool on the destination host, cluster, or resource pool.
- Datastore.Allocate space on all datastores where the template is created.
Taken from here, page 38: https://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-virtual-machine-admin-guid…
The privilege to assign a virtual machine to a resource pool is provided on a resource pool level in our environment and not on host or cluster level, but that should be fine according to the document (it says "or"). Anyhow, when you try to clone a vm to template with privileges like that, you get an error that "read only" permissions on cluster level are needed. When you add that permissions and try again, there is another error that privileges to "Assign virtual machine to resource pool" are needed on cluster level. When you add that permissions cloning finally works, but the security policy of our environment is no longer intact. With permissions like that any user is displayed any ressources (i.e. any vm in any resource pool). Moreover users are now able to migrate virtual machines between resource pool and by that gain full access to any vm when they move it to their own ressource pool.
We are looking for anybody who can confirm the issue in another environment and of course for a workaround or any idea that would help us provide the functionality to our users like it was in 5.5. Thank you for any input.