Things you should know (TYSK) – Content Library Permissions
During the migration of my small ROBO vSAN cluster to a new vCenter I came across a “problem” I wanted to share in my “Things you should know” series. In my current vCenter I have integrated William Lam’s vGhetto Nested ESXi Template Content Library to easily deploy ESXi templates for vSAN testing scenarios. When I deployed the new vCenter 6.0 U2 I decided to use an integrated approach which means PSC and vCenter on the same appliance. Although I have a designated PSC running in my environment, I don’t want to use it because of upgrade scenarios or dependencies. This environment should be completely independent of every other component.
The configuration is the following:
- vCenter 6.0 U2 incl. PSC
- Joined to my Active Directory
- Added the vCenter admin group to the vCenter hierarchy so I can manage it
When I logged in as my AD admin user and tried to create the content library I was not able to do it because the add button was greyed out.
I remembered that I had the same issues with the other vCenter but I can’t remember how I solved it previously. That was also a reason for this post! 🙂
After a short research I found the Hierarchical Inheritance of Permissions for Content Libraries in the vSphere documentation. The following graphic was taken from the documentation page.
In 6.x a new hierarchy level was created which is the “root object“. As you can see the Content Library is not a child object of the vCenter Server object and therefor no permissions are inherited when I added the AD vCenter group to the vCenter object. The Content Library is an object under the root object and the permission for that can be found under Administration – Global Permissions. This Global Permissions are applied to the global root and spans across vSphere and all products that integrates with it. After adding the AD admin account to the global permission I was able to add the Content Library to my vCenter.