In case anyone sees this thread in the future here's what I did to fix it.
1. Take a snapshot of the vCenter server.
2. Connect to vCenter database:
root@VCSA [~]# /opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres
3. Run the following SQL query to show SSO Administrator account info:
VCDB=# Select id, principal, role_id, entity_id, flag, surr_key from vpx_access;
4. You may see multiple entries for the SSO Administrator account. You need to delete the extras, leaving only the first entry (in the example below we'll delete 706 and 1201):
id | principal | role_id | entity_id | flag | surr_key
------+------------------------+---------+-----------+------+----------
1 | VSPHERE.LOCAL\Administrator | -1 | 1 | 1 | 1
410 | VSPHERE.LOCAL\AdminCDW | -1 | 30 | 1 | 6
411 | VSPHERE.LOCAL\AdminCDW | -1 | 48 | 1 | 7
412 | VSPHERE.LOCAL\AdminCDW | -1 | 36 | 1 | 8
706 | VSPHERE.LOCAL\Administrator | -1 | 20495 | 1 | 10
1201 | VSPHERE.LOCAL\Administrator | -1 | 1 | 1 | 15
(6 rows)
5. Stop the VPXD service:
root@VCSA [~]# service-control --stop vmware-vpxd
6. Delete the extra SSO Administrator entries:
VCDB=# Delete From vpx_access WHERE id in (706,1201);
7. Exit the SQL prompt:
VCDB=# \q
8. Start the VPXD server:
root@VCSA [~]# service-control --start vmware-vpxd
9. You should now be able to modify permissions.