One of the great things about presenting at VMware User Group meetings is actually talking to customers and finding out about what their pain points are, and how VMware can improve on our products and features. At the most recent VMUG I attended (in Poland), I was asked a question about storage policies, and if there was a way to allow some users to use some policies, and other users to use a different policy. Unfortunately there is no permissions associated with policies at this time, so any user can select any policy. With that in mind, I had a look to see if there was a way to prevent a user from using a certain datastore, even if they chose a policy which showed this datastore as compliant. Fortunately, there is a very easy way to achieve this through permissions on the datastore.
In my example, I have 2 virtual volume datastore available for provisioning, and lets say one is an all-flash virtual volume and the other is a hybrid (mix of flash and spinning disk). Now Ben is an operator/admin, but he should only have privileges to provision VMs on the hybrid vvol datastore. He should not be able to provision onto the all-flash datastore. So I manually set the permissions for Ben on the all-flash datastore (VVols1) to read-only, and left him with full permissions on the hybrid datastore (VVols2):
Now lets see what happens when Ben attempts to select the datastore to which he only has read-only privileges. Now keep in mind that Ben can select any policy he wishes, and that in each case both VVol datastores will show up as compliant for the policy, but now Ben is prevented from provisioning on the VVol1 datastore, which is the all-flash one.
So even though both datastores are compatible with the policy, we can see the message which say that this user does not have the privileges to allocate space on the selected datastore. And if we select the other VVol datastore?
Now the compatibility check succeeds, and we can continue to provision here.
And suppose Ben ignores the permission warning above? Can he simply press on and still provision onto the all-flash vvol datastore? The answer is no – he cannot. The wizard will not continue with the provisioning steps:
So that might be one way to prevent certain users from using certain datastores seeing as we cannot place permissions on policies. I’d be interested to hear if this is an issue for other customers? Is the ability to put permissions on different policies a useful feature? Let me know. How else have you prevented users from accessing a particular datastore? Please share.