commvault.com commvault.com
Solved

VMware Role "Resource Pool"

  • 21 April 2021
  • 6 replies
  • 285 views
G
Rank
Userlevel 1
Badge +7

Hi all,

Is it possible to create a role that allows you to browse in a vmware subclient only of a single resource pool?
When the user browses the subclient's content he must not see any other resources.

 

I also tried to configure a role with "Change Content" disabled, but the user is still able to change the content.

icon

Best answer by Blaine Williams 21 April 2021, 15:05

View original
Thanks - Gabriele

6 replies

S
Rank
Userlevel 7
Badge +15

Hi @Gabriele Palumbo 

Thank you for the question.

A security role applied to the client that enables a user to see the content and resource pool configured will show whatever is configured there. This will be the case regardless of whether that user would be able to see or modify those items elsewhere.

The disabling “Change Content” doesn’t deny the permission (like filesystem permissions where deny takes precedence over grant), it will only prevent inheritance of the setting below.

I expect the user here is inheriting a permission from a higher level, which is granting the ability to make the change.

Try checking the box “Show Inherited” or viewing the permissions granted on the user properties to see if some other permission is affecting things from elsewhere or higher up in the Commcell.

Thanks,

Stuart

 

Customer Support
G
Rank
Userlevel 1
Badge +7 
I closed the topic by mistake
Thanks - Gabriele
G
Rank
Userlevel 1
Badge +7

Hi all, 

I closed the previous topic by mistake.

Is it possible to create a role that allows you to browse in a vmware subclient only of a single resource pool?
When the user browses the subclient's content he must not see any other resources.

 

I also tried to configure a role with "Change Content" disabled, but the user is still able to change the content.

Thanks - Gabriele
B
Rank
Userlevel 5
Badge +8

Hi Gabrielle, 

The browse permission is getting it from the user account for the VSA. A commcell role wont effect this. 

Here is the documentation for vSphere user accounts 

https://documentation.commvault.com/commvault/v11_sp20/article?p=32132.htm

And then you can customise the user for limited scope

You can restrict a user account to a specific entity as described in Adding a Custom User with Limited Scope; but the user must also have permissions for all parent objects of the entity. For example, if you define a user account with permissions on an ESX server, you must also give that user permissions on the vCenter and datacenter. If you select the option to propagate permissions to all child objects, the user can back up all virtual machines on the ESX server.

 

 

Mike Struening RETIRED
Rank
Userlevel 7
Badge +23

Reactivated the original thread here and closed off the duplicate.

https://www.linkedin.com/in/michael-struening
Damian Andre
Rank
Userlevel 7
Badge +23

Just to add to what @Blaine Williams said, you can 100% do this, but it has to be done in VMware. VMware allows really granular permissions so it may take a bit of back and forth to get them right, and ensure that Commvault has enough access still to perform data operations, but it is possible and something I had done previously.

 

Sounds like you are planning on doing some level of multi-tenancy and you don't want your tenants to see VMs from other tenants?

You can also restrict the VMware permissions to browse on folder too.

Reply


Terms & ConditionsCookie settings