Placing the datastore clusters inside a folder in some cases is not an option, so i decided to write a PowerCLI script which creates the permisson after vCenter service restart. As you might know, all permissons set at datastore cluster level are gone after vCenter restarts. This workaround referred to VMware KB: 2008326.
First you have to find affected permissons. This applies to permissons which are set directly to datastore clusters. A datastore cluster is referred as "StoragePod", so this is the keyword:
Get-VIPermission | Where-Object {$_.EntityId -match 'StoragePod'} |format-table -autosize EntityId Role Principal IsGroup Propagate -------- ---- --------- ------- --------- StoragePod-group-p103 ReadOnly homer False True StoragePod-group-p105 DatastoreConsumer LAB\Domain Users True True
In this case there are 2 affected entries. The Administrator is not listed, because the permisson is set at vCenter level and propagated to all datastore clusters. Recreating the permissons can be done using the following script. Please be aware that i am not a programmer by profession, so this code might be crappy. Also this script is not supported by VMware, so please test this in a unproductive environment.
# EntityId Role Principal IsGroup Propagate # -------- ---- --------- ------- --------- # StoragePod-group-p103 ReadOnly homer False True $pod = New-Object VMware.Vim.ManagedObjectReference $pod.type = "StoragePod" $pod.Value = "group-p103" $perm = New-Object VMware.Vim.Permission $perm.roleId = -2 $perm.principal = "homer" $perm.group = $false $perm.propagate = $true $auth = Get-View -Id 'AuthorizationManager-AuthorizationManager' $auth.SetEntityPermissions($pod, $perm) # EntityId Role Principal IsGroup Propagate # -------- ---- --------- ------- --------- # StoragePod-group-p105 DatastoreConsumer LAB\Domain Users True True $pod = New-Object VMware.Vim.ManagedObjectReference $pod.type = "StoragePod" $pod.Value = "group-p105" $perm = New-Object VMware.Vim.Permission $perm.roleId = 8 $perm.principal = "LAB\Domain Users" $perm.group = $true $perm.propagate = $true $auth = Get-View -Id 'AuthorizationManager-AuthorizationManager' $auth.SetEntityPermissions($pod, $perm)
You can set up this script to run automatically after the vCenter service starts.
Use the Get-VIRole cmdlet to find out the corresponding RoleIDs. For the standard roles this are:
-5 = NoAccess
-4 = Anonymous
-3 = View
-2 = ReadOnly
-1 = Admin
4 = VirtualMachinePowerUser
5 = VirtualMachineUser
6 = ResourcePoolAdministrator
7 = VMwareConsolidatedBackupUser
8 = DatastoreConsumer
9 = NetworkConsumer