vSphere 5.0 permissions issue / bug ?

by Grzegorz Kulikowski

vSphere Client Version 5.0.0 Build 1300600
vCenter Server Version 5.0.0 Build 1300600

This is just a note to myself about an issue i hit recently while working within vSphere 5.0 environment.
Here is the situation:


UserX is part of 2 groups , it does not matter if those are local groups or AD groups.
so i got:

domain\UserX belongs just to whose 2 groups.
To make this example really easy, i will use the base role of ‘Read-Only’.

This is example demonstrates the user that is part of 2 groups not being able to use the top right corner search functionality. Have in mind that i also tested the same example in vSphere 6.0 , there it works just fine.

Root VC element -> Permissions

1. Assign new permission for domain\groupA with Read-Only role (no propagation)

2. Login to vSphere, using ‘fat’ client and check that you see only top root VC part in the inventory.

3. Assign new permission for domain\groupB with Read-Only role (with propagation)

3. Having your vSphere client opened from step 2, you will notice that you can see entire inventory , you can check properties of vms, hosts etc..
BUT !!!

you will not be able to search for any vm in your inventory using the top right search element in vsphere client.

4. You will see that the permission list looks like this
domain\groupA no propagation read-only
domain\groupB propagation read-only

5. Go the first permission and switch it to propagation instead of no-propagation.
6. Go to second permission and switch it to no-propagation instead of propagation.

7. Result ? You will see all the inventory as previously, but now you are able to use the top right search function from vSphere client.

I have created a case for this behaviour at vmware support, apparently there are no plans to fix this in vsphere 5.0.

You may also like

Leave a Reply

Chinese (Simplified)EnglishFrenchGermanHindiPolishSpanish