vCenter

 View Only
Expand all | Collapse all

Adding Permission to an object throws the error

  • 1.  Adding Permission to an object throws the error

    Posted Mar 23, 2019 06:19 AM

    We have recently upgraded our vCenter from 6.0 to 6.7, build 11727113. After the upgrade, we have experienced what seems to be a bug regarding assigning privileges to objects like VMs, or folders on vCenter.

    My user is a part of a group 'Administrators', which has global Administrator Permissions.

    The problem I am experiencing right after the upgrade is when I try to add permissions to a local vCenter user using my administrator account, I get the following error:

    "The requested change cannot be completed because it could leave the system without full administrative privileges for a user or group."

    After doing a bit of googling I stabled on this only post that addresses the error: VMware Knowledge Base

    From what it seems like, it has nothing to do with the issue I have, since I am not trying to do anything with users that have global Permissions, I am just trying to give some permissions to the newly created user on vCenter. This makes infrastructure virtually unusable, and the only right way I see it to just reinstall vCenter(which will require downtime, that I would really like to avoid) which might not even solve the issue.

    My colleague has recently tried to reproduce the issue with the same vCenter, and he didn't have the same issue. So the issue might be exactly during the upgrade process and not fresh install

    What we found different, is that global permissions on our infrastructure currently look something like this:

    And this is what fresh install looks like:

    We have used Migrate to the vCenter Server Appliance - VMware vSphere Blog  to migrate



  • 2.  RE: Adding Permission to an object throws the error

    Posted Mar 27, 2019 02:49 PM

    I have this same issue now that I've upgraded to 6.7U1 from 6.5. The vCenter object is not showing Global Permission inheritance under the "Permissions" tab. I can add a user to the Global Permissions as Administrator but with no inheritance the permissions are applied to the child objects.  I cannot add them to the vcenter object, datacenter object, cluster object, etc without the error message you are receiving.

    Before doing the upgrade this user was in the Global Permissions area as Administrator and could log in to vCenter.



  • 3.  RE: Adding Permission to an object throws the error

    Posted Mar 27, 2019 08:49 PM

    I think overall that is just a migration process problem. We ended up deciding to installing 6.7 from clean, and manually transfering the configuration.

    Some things like folder structures could be migrated from the old infrastructure by powercli (there are couple articles on that)

    Overall, this seems to be a very recent issue, since I couldn't find anything related to that :smileycry:



  • 4.  RE: Adding Permission to an object throws the error

    Posted Mar 27, 2019 09:26 PM

    I upgraded an identical vCenter on a different network at the same time and do not permission issues; very frustrating.

    I have a support ticket open with VMware with a call scheduled for tomorrow. I'll report back if we find any solutions.



  • 5.  RE: Adding Permission to an object throws the error

    Posted Apr 29, 2019 07:47 PM

    Hey, any updates on your ticket?



  • 6.  RE: Adding Permission to an object throws the error

    Posted Apr 30, 2019 10:41 AM

    VMware could not find a solution during our support call. With no confidence in the vCenter installation I opted to start from scratch. My new vCenter is working great.

    There seems to be some issue with the migration process, probably tied to the internal PSC. I provided all the logs I could to the engineer with the hopes that in future releases this issue will be solved.



  • 7.  RE: Adding Permission to an object throws the error

    Posted May 01, 2019 10:01 PM

    Thanks for clarifying!



  • 8.  RE: Adding Permission to an object throws the error

    Posted Sep 11, 2019 04:10 PM

    same issue .opened a ticket .venter is useless now on 6.7 U2



  • 9.  RE: Adding Permission to an object throws the error

    Broadcom Employee
    Posted Mar 28, 2019 11:46 AM

    Default Administrator group "vsphere.local\Administrator" is not shown in your first screenshot?

    is that removed earlier or during upgrade?

    Regards

    Lokesh



  • 10.  RE: Adding Permission to an object throws the error

    Posted Mar 28, 2019 07:30 PM

    The first screenshot is after the upgrade, and the second screenshot is "clean install".



  • 11.  RE: Adding Permission to an object throws the error

    Posted Nov 19, 2019 09:56 AM

    Hello,

    same problem here. Does anyone have a solution without reinstalling the Appliance?



  • 12.  RE: Adding Permission to an object throws the error

    Posted Dec 16, 2020 03:36 PM

    We encountered this issue when updating 6.7 and Level 2 support resolved this issue and reported the following:

    Found 3 entries for SSO administrator in accounting vcenter database and cleared 2 extra entries from the database. 



  • 13.  RE: Adding Permission to an object throws the error

    Posted Dec 07, 2021 05:25 PM

    I know this is an old thread but I'm working on a 6.7 system and am having the exact same issue. Wonder if anyone has steps to check database entries as posted above? Or anything else to try?



  • 14.  RE: Adding Permission to an object throws the error

    Posted Dec 10, 2021 02:55 PM

    In case anyone sees this thread in the future here's what I did to fix it.

    1. Take a snapshot of the vCenter server.

    2. Connect to vCenter database:

    root@VCSA [~]# /opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres

    3. Run the following SQL query to show SSO Administrator account info:

    VCDB=# Select id, principal, role_id, entity_id, flag, surr_key from vpx_access;

    4. You may see multiple entries for the SSO Administrator account. You need to delete the extras, leaving only the first entry (in the example below we'll delete 706 and 1201):

    id | principal | role_id | entity_id | flag | surr_key
    ------+------------------------+---------+-----------+------+----------
    1 | VSPHERE.LOCAL\Administrator | -1 | 1 | 1 | 1
    410 | VSPHERE.LOCAL\AdminCDW | -1 | 30 | 1 | 6
    411 | VSPHERE.LOCAL\AdminCDW | -1 | 48 | 1 | 7
    412 | VSPHERE.LOCAL\AdminCDW | -1 | 36 | 1 | 8
    706 | VSPHERE.LOCAL\Administrator | -1 | 20495 | 1 | 10
    1201 | VSPHERE.LOCAL\Administrator | -1 | 1 | 1 | 15
    (6 rows)

    5. Stop the VPXD service:

    root@VCSA [~]# service-control --stop vmware-vpxd

    6. Delete the extra SSO Administrator entries:

    VCDB=# Delete From vpx_access WHERE id in (706,1201);

    7. Exit the SQL prompt:

    VCDB=# \q

    8. Start the VPXD server:

    root@VCSA [~]# service-control --start vmware-vpxd

    9. You should now be able to modify permissions.