Here is my scenario: Using ESXi 4.1 standalone (no vCenter) I want to give a specific local user (steve) administrative access to his own resource pool, but not give him access to any other virtual machines or resource pools. Let's say I have the following structure:
esxi-02 system
-Production Resource pool
-- Production system 1
-- Production system 2
-Steve Sandbox Resource Pool
-- Steve Sandbox system 1
-- Steve Sandbox system 2
In this case, I want to let steve log in and manage his resource pool, but I don't want him to be able to see the production resource pool or any systems in other pools. He should be able to create and remove VMs within his resource pool; essentially full administrative access.
So, here's what I've done in an attempt to achieve this:
- Create the user 'steve'.
- Clicked on the "esxi-02" 'root' and the permissions tab, and added user 'steve' as role "Administrator", unclicking the "propagate permissions" checkbox.
- Clicked on Steve Sandbox Resource Pool and over to the permissions tab. Here, I added 'steve' as role "Administrator" and this time I did click the "propagate permissions" checkbox.
Now, this almost works; steve can log in and see only his resource group and systems. Further, he can access the systems console, start and stop VMs, create snapshots, etc. However, when he goes to create a virtual machine, he gets an error:
"You do not have the privilege 'Virtual machine > Inventory > Create new' on the selected Host."
This is confusing, since on both levels, 'steve' has administrative access. What am I doing wrong? Thanks for your help.