One of the VMware strategies seems to be phasing the vSphere standalone client out, in favour of the Web Client. Moreover some tasks in the traditional client are now not available and can only be performed from the Web Client; for details see the KB 2109808.
This process is not exempt from some problems; in particular upgrading to vCenter or VMware VCSA (vCenter Server appliance) 6.0 can bring unexpected issues or inconsistencies between the two clients with regard to permissions.
Mainly the permissions set on the vSphere client will continue to work, but they will stop on the Web Client. For instance a common issue through the Web Client, is getting an empty inventory if not using an account with an administrative role.
Some examples of issues are described in the KBs After upgrading to VMware vCenter Server Appliance 6.0 users are unable to view the inventory in the vSphere Web Client (2125628), Users are unable to power on virtual machine with the Virtual Machine Power User role in vCenter Server 6.0 (2119161) and Inventory objects fail to display in vSphere Web Client 6.0 (2144934).
In my case after the Virtual Center was upgraded to vCSA 6.0.20000 the traditional way of assigning permissions continued to work in the “classic” vSphere, but a no administrative user could not even see its virtual machines in the web client. As that account belongs to a team of developers it would be definitively not OK to just grant them administrative permissions.
There might be an easier solution than mine, but to make the long story short, what was needed to be done in order to solve this odd issue was:
A)Their account had to be recreated under the administrative local domain vsphere.local
B)The process of granting permissions had to be done from the top level on the DataCenter, Storage and VM folders and in a propagating way.
C)The most tedious part was then to remove access to objects they should not get to by setting “no access” on the relative VM folders and especially on each single virtual machine not part of their job. Here the read only access was not an option, since they should not see servers belonging to other teams.
Always refering to the Web Client the process of granting granular permissions seems to work with no particular hassles when using an Active Directory Account or group; for instance when having to grant a team permissions to clone only specific virtual machines, it was necessary to set their role with the permissions described here and then make sure that the same group is added to the cluster, datacenter and vcenter objects (be careful to not propagate on this objects).