I am writing this post partially as a guide to how I performed this but also as a bit of an RFC for any better way of doing this.

I recently had a requirement to configure the role based access to allow an external contractor to have access to modify the VM settings on a specific set of virtual machines, most of which is fairly simple and is well documented in the VMware knowledge base and around the web.  The trickier part of this I found was due to the fact we are using distributed switches and we only wanted to allow the user to assign port groups from a specific list to the backing of the virtual NICs on the VM.

What we need to be able to do for this is assign the following permissions to the relevant port groups:

  • Network > Assign Network
  • Virtual Machine > Configuration > Modify device settings
  • Virtual Machine > Configuration > Settings

This again is simple enough and the required permission are added to the role being used for the user and applying that role to the Port Groups, however this alone is not quite enough.  As we are working with a distributed switch we also need to assign the same the distributed switch that holds the port groups.  This seems simple enough but if you try to assign your role directly to the switch object in vCenter it will not allow it. with an error pop up telling you that you need to assign the permissions either to the data centre or a folder containing the switch object.

OK, so now we create a folder and put the virtual switch in the folder and apply our role to the folder with inheritance enabled so that the permissions apply to our switch object.  So now our contractor has access to all the stuff he should  have access to. But because of the inheritance they will also have access to all the port groups on that switch we we do not want them to have.

We can fix this, but it means we now have to apply the no access role to all the port groups on the switch we do not want the user to have access to, which can be quite time consuming if you have a large number of port groups on the switch.