With the advent of cloud-based computing, virtualized datacenters have become more prevalent. By implementing and using virtual machines, which are software emulations of physical computers, virtualized datacenters have significant advantages over traditional, hardware-oriented datacenters, such as improved hardware utilization, efficient energy use, and lower equipment costs. Further, the configuration and deployment of traditional servers is a lengthy process and time-consuming process, while virtual machines may be deployed more easily in response to organizations' computational requirements. In large cloud-based virtualized datacenter environments, end users who require access to various datacenter resources typically require permissions to those resources. For example, a user who needs to access and execute a virtual machine normally needs permission to start the virtual machine, execute the virtual machine on a physical host, and to store virtual machine files to a datastore. Because large virtualized datacenter environments may include hundreds of end users, each of whom require access to a diverse set of system resources, the task of managing access permissions to those resources becomes unwieldy. Indeed, a system administrator who seeks to manage permissions in such an environment is often required to define, update, and delete permissions for each user and for each resource. With thousands of resources to maintain, a more centralized solution is needed.
In the past, permissions to resources in virtualized datacenters were managed by organizing those resources into folders and managing permissions on a folder basis. A folder contains a collection of managed system resources (or inventory objects, as they are often referred to), where the resources contained in the folder are of the same type. Thus, a folder that contains virtual machines may only contain virtual machines, or a folder that contains networking devices may only contain such devices, and so forth. This solution has proven somewhat advantageous because user permissions on a folder are applied to all resources contained therein. However, the folder solution suffers from drawbacks. First, users need access to a diverse range of system resources, which cannot exist in a common folder. Thus, separate permissions must be maintained for each folder group; there is no way to group folders that contain unlike inventory objects together. As different types of objects (e.g. storage devices, networking components, and so on) are developed, the problem of maintaining separate permissions on a per folder basis becomes clearer. Further, permissions maintained on a folder are applied to all objects in a folder on a group basis. That is, permissions and privileges on folder objects are derived from the folder itself, not from the inventory objects individually. This means that, when an inventory object in a folder is moved to a different folder, the permissions and privileges associated with that inventory object are inaccessible and, thus, need to be redefined.
This stands in contrast to the assignment of permissions on individual objects. In such a case, the permissions are unaffected by moving objects around a folder hierarchy. However, this solution, as mentioned above, suffers from being non-scalable with respect to administration.