Here’s a strange one I’ve come across in vCenter 2.5. You have a user, who is a member of an AD group, which has been assigned the Administrator role in vCenter over a Datacenter (or a folder, cluster, host, …) – but not at the root level. Got that? That user can do everything that you would expect an administrator to be able to, at that level.
However once that user generates tasks in vCenter, it seems they can’t cancel them. From what I’ve found, canceling tasks seems to be a Global permission and is only allowed if your administrative permissions are set at the top of the tree. Even though the task was created by them and is a task within their Datacenter.
Has anyone else seen this and come to a sensible work around? Does it happen in vCenter 4.0?
I have experienced many such problems when using permissions on vCenter 2.5. The one that always bothers me is when I want to make a person an administrator of a cluster (not a datacenter), but then they are not allowed to create new VMs because they do not have access to the datastores. You can add them to the datacenter level and adjust permissions accordingly, but they can still see other datastore that are not theirs. I have resorted to creating my own custom role to address these issues.