Assign and modify permissions for vCenter Server
There are several key points to keep in mind when you are working with vCenter Server permissions. Whether a ONTAP tools for VMware vSphere task succeeds can depend on where you assigned a permission, or what actions a user took after a permission was modified.
Assigning permissions
You only need to set up vCenter Server permissions if you want to limit access to vSphere objects and tasks. Otherwise, you can log in as an administrator. This login automatically allows you to access all vSphere objects.
Where you assign permission determines ONTAP tools for VMware vSphere tasks that a user can perform.
Sometimes, to ensure the completion of a task, you should assign permission at a higher level, such as the root object. This is the case when a task requires a privilege that does not apply to a specific vSphere object (for example, tracking the task) or when a required privilege applies to a non-vSphere object (for example, a storage system).
In these cases, you can set up a permission so that it is inherited by the child entities. You can also assign other permissions to the child entities. The permission assigned to a child entity always overrides the permission inherited from the parent entity. This means you can give permissions to a child entity to restrict the scope of a permission assigned to a root object and inherited by the child entity.
Unless your company's security policies require more restrictive permissions, it is a good practice to assign permissions to the root object (also referred to as the root folder). |
Permissions and non-vSphere objects
The permission that you create is applied to a non-vSphere object. For example, a storage system is not a vSphere object. If a privilege applies to a storage system, you should assign the permission containing that privilege to ONTAP tools for VMware vSphere root object because there is no vSphere object to which you can assign it.
For example, any permission that includes a privilege such as ONTAP tools for VMware vSphere privilege "Add/Modify/Skip storage systems" should be assigned at the root object level.
Modifying permissions
You can modify one permission at any time.
If you change the privileges within a permission, the user associated with that permission should log out and then log back in to enable the updated permission.