Authorization Policy Issue for Category-Based Access

Question

Hi. New to Nutanix for only a month, doing testing as a VMware replacement. One we thing currently do in vCenter is have very granular permissions. Only Linux engineers have access to Linux VM, and Windows engineers to windows. And Linux and Windows templates already have pre-defined category attached.

I can build an authorization policy based on the “virtual machine admin” role and apply the scope to only AHV with category of linux and apply it to a linux user. However they cannot seem to build any new VMs, etc. Only manage what current VM has that category. I have tried to all other entity types as full access, but that doesn't seem to work, they can manage both sets of VMs.

I am probably doing a terrible job explaining this, but if someone can tell me this can be done and give some hints, I can keep trying. I am certain I must be able to duplicate these permissions we already have.

Thank you!

aluciani · Accepted Answer

Hey ​@Jeff-AtlYou can limit management actions by category, but VM creation cannot be restricted by category alone. A combination of custom roles and workflow automation is the best solution.Check out the Nutanix documentation:Prism Central Infrastructure GuideThis might be a suggest approach:Step 1: Create two custom roles:Linux VM Operator: Includes VM power operations, snapshot, etc., but excludes VM creation.Windows VM Operator: Same idea for Windows.Step 2: Apply category-based scoping to these roles.Step 3: Use Calm blueprints or self-service portal for controlled VM creation by OS type.Always try on a staging or dev env before production.

Jeff-Atl · Answer

Thank you. I got this all working, I did figure out i needed more categories, and I have successfully duplicated our vCenter permissions for the most part. Thank you!

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded