Specifications

Basic System Administration

264 VMware, Inc.

 Ifthereisnopermissiondefinedexplicitlyfortheuseronthatobject,theuser

isassignedtheunionofprivilegesassignedtothegroupsforthatobject.

 Ifthereisapermissiondefinedexplicitlyfortheuseronthatobject,that

permissiontakesprecedenceoverallgrouppermissions.

Example1:Expandingauser’spermissions

 Role1canpoweronvirtualmachines.

 Role2cantakesnapshotsofvirtualmachines.

 GroupAisgrantedRole1onvirtualmachine.

 GroupBisgrantedRole2onvirtualmachine.

User1isnotassignedspecificpermission:

 User1,whobelongstogroupsAandB,logson.

 User1canbothpoweronandtakesnapshotsofvirtualmachine.

Example2:Limitingauser’spermissions

 Role1canpoweronvirtualmachines.

 Role2cantakesnapshotsofvirtualmachines.

 GroupAisgrantedRole1onvirtualmachineparentfolder.

 GroupBisgrantedRole2onvirtualmachine.

User1ReadOnlypermissionisremovedonvirtualmachine:

 User1cantakesnapshotsbutnotpoweron.

Tasks Requiring Settings on Multiple Objects

Whensettingpermissions,verifythatalltheobjecttypesaresetwithappropriate

privilegesforeachparticularaction.Someoperationsrequireaccesspermissionatthe

rootfolderinadditiontoaccesspermissionsontheobjectbeingmanipulated.Some

operationsrequireaccessorperformancepermissionataparentfolderandarelated



object.

SeeAppendix A,“DefinedPrivileges,”onpage 327foralistofpredefinedrolesand

associatedprivileges.Usethesepredefinedrolestohelpdeterminetherole+object

pairingrequiredtoperformyourchosentask.