ACL Virtual machine permissions based on Cluster


Is there any solution to give a group use/mange permissions for virtualmachines within Cluster ID?

I get a error message when apply this setting:
CLUSTER(%) selector can be applied only to DATASTORE, HOST and NET types


I’m afraid that is not possible. You can impose cluster-based restrictions to objects that are part of a cluster. (hosts, datastores or networks).

VM access restrictions can be imposed based on group ownership

Okey… Another use case:
Every user is a ldap user and i have multiple groups:

Admins_group ( ldap based)

  • mange permissons on every vm within cluster.

User_group (local groups manual action)

  • users are added to this group to use (1 or more vm`s)

How can i accomplice this?

I think the best approach in your case is Virtual Datacenters (

You can:

  • Create a VDC and associate a cluster to it
  • Create a group of users associated to this VDC
  • Create a group-admin to act as a tier-1 admin for the group with permission over user management and group resources.

Something like this? I dont see any vm`s when im user of admin group.


There should be an ACL (automatically created) that allow group admins to manage resources in the group as the group only have access to a cluster you should get (to some extent) the behavior you are looking for.

Create a group and a group admin
Then create a VDC for this group and clusters you like.

ACLs should look like this:

As you see the admin has manage rights over the test_group resources

Sorry maybe i`m doing somethings wrong :confused:

Nothing found when i`m logged as admin user.

No, you are not doing anything wrong. This is the “to some extent” I refer to. THe VM is owned by oneadmin, this is only going to work for the VMs created within the VDC i.e. by people on the VDC group.