In my example, I have 2 virtual volume datastore available for provisioning, and lets say one is an all-flash virtual volume and the other is a hybrid (mix of flash and spinning disk). Now Ben is an operator/admin, but he should only have privileges to provision VMs on the hybrid vvol datastore. He should not be able to provision onto the all-flash datastore. So I manually set the permissions for Ben on the all-flash datastore (VVols1) to read-only, and left him with full permissions on the hybrid datastore (VVols2):
Now lets see what happens when Ben attempts to select the datastore to which he only has read-only privileges. Now keep in mind that Ben can select any policy he wishes, and that in each case both VVol datastores will show up as compliant for the policy, but now Ben is prevented from provisioning on the VVol1 datastore, which is the all-flash one.
So even though both datastores are compatible with the policy, we can see the message which say that this user does not have the privileges to allocate space on the selected datastore. And if we select the other VVol datastore?
Now the compatibility check succeeds, and we can continue to provision here.
And suppose Ben ignores the permission warning above? Can he simply press on and still provision onto the all-flash vvol datastore? The answer is no – he cannot. The wizard will not continue with the provisioning steps:
So that might be one way to prevent certain users from using certain datastores seeing as we cannot place permissions on policies. I’d be interested to hear if this is an issue for other customers? Is the ability to put permissions on different policies a useful feature? Let me know. How else have you prevented users from accessing a particular datastore? Please share.