Restricting Enumeration of vSphere Objects in vCAC

I got asked today about how we could prevent certain objects from being enumerated in vCAC – ostensibly to prevent provisioning to them, or simply to provide less clutter when you are creating Reservations. Objects that you may want to do this for are Management Networks, Local Datastores, Resource Pools… the list could go on but those are the immediate ones that come to mind.

This is a great opportunity to make use of the “No Access” permission in vCenter – or at least I thought so. A little testing was required to confirm that this was the case.

I created two new port groups – once called “Denied” and one called “Not Denied” (yes, creativity is my middle name). On Denied, I applied the “No Access” permission to the vCAC Service Account defined in the Endpoint configuration.

NewImage

On Not Denied, I left the default permissions in place.

NewImage

The next step was to head over to vCAC, and kick off an Inventory Collection. Once that was complete I went to the associated Reservations and found the following:

Reservation

Awesome – now I’ll go and hide some of those other pesky Port Groups.

This does highlight one valuable thought for me – make sure that vCAC has it’s own service account, because messing with permissions of existing service accounts will likely get you into trouble.