VMFS Datastore Permissions, useful for SRM

Lately I visited a customer who, depending on their customers SLA, provided either SRM protected VM’s (SLA-1) or non-SRM protected VM’s (SLA-2). The technical difference between these SLA’s is that SRM protected VM’s must be placed on LUN’s that are replicated between storage arrays. Different departments are responsible for creating either SLA-1 or SLA-2 VM’s and operational procedures are in place to make sure that the right VMFS datastores is selected while provisioning new VM’s. 

Unfortunately VM’s get provisioned on the wrong LUN/VMFS Datastore very often (so either replicated or non-replicated) and this becomes visible in SRM since “Not Configured VM’s” started popping-up as shown in the screenshot below. 

Just as a side note, whenever a VM gets provisioned on a datastore that is part of a Protection Group (Datastore Group), the VM gets added to the Protection Group automatically but still needs configuration in order to really get protected by SRM. 

The solution is very easy. Since two different departments are provisioning the VM’s it can all be arranged by Datastore Permissions, a feature introduced in vSphere. 

In my test environment I created a simple setup. From within the Datastore-view I created a “Non Replicated” and a “Replicated” folder and placed the correct datastores in the folders. Next step is to assign user permissions to the folders, in my example I created a user “test1” with Administrator permission on the whole environment except on the “Replicated Datastores”-folder. 

Whenever user “test1” wants to provision a VM and store it on a datastore that is placed in the “Replicated Datastores”-folder he will get an error message stating that he is not allowed to.

Please be aware that Datastore Permissions are only valid when connecting via vCenter because it is a vCenter property and only vCenter will check these settings, no changes are made to the volume itself.