Assigning VLAN / Portgroup permissions in vCenter 4

Something I have been wanting since Virtual Center 2.5 / ESX 3.x is VLAN permissions. I would like to be able to allow certain admins to connect VLANs (actually to be 100% correct I should call them portgroups) to a VM, but for example for the DMZ VLANs I would only like to assign a specific group of Admins with the permission to connect those DMZ VLANs. Today I stumbled upon it by accident when my colleague Jos Vanaubel ( was figuring out an issue with a user not being able to change the VLAN of a VM.


How to set permissions on VLANs

It can actually be done in two easy steps:

-          First give a user or preferably a group permissions to change the configuration settings of a VM

-          Second set the permissions on the portgroup object of the VLAN in the networking section of vCenter.

Let’s work with the following example. Within a company there are two business units, each with their own admin group (GR-Admin-A and GR-Admin-B) who each manage their own VMs. The both use the same vSphere infrastructure.


First step

Logon to vSphere as admin and go to the VMs and Templates view. Create two folders called BU-A and BU-B and move some VMs into each folder. Next assign the group GR-Admin-A the “Virtual Machine Poweruser” role to folder BU-A and do the same for GR-Admin-B to folder BU-B. Make sure you check “Propagate to child objects”.

For the overall admin it looks like this.

For a member of the GR-Admin-A group, it looks like this.


Second step

Actually in the second step we repeat the whole exercise but now in the networking section. Create a folder BU-A and move the portgroup objects that contain the VLANs they should have control of to the BU-A folder. Assign Administrator permissions to this folder for the GR-Admin-A group. Repeat the same for the BU-B folder and the GR-Admin-B group.

For the overall admin it looks like this.

For a member of the GR-Admin-A group, it looks like this.


Verify if it works

To verify if it works, logon to the vSphere client using an account that is member of the GR-Admin-A group and navigate to the VMs and Templates section. This user should only see the folder BU-A. Now edit the VMs settings and go to the network adapter. The user should only see the VLANs from the BU-A group.