Good Evening,
One of my admins accidentally applied the "no access" permission to a Nutanix CVM for the administrator@vsphere.local account. Thus we are unable to view or making any changes to the VM. We were in the process of upgrading the memory on our CVMs, but can't even view the 1 CVM in question due to permissions.
Is there a way to reset the permissions on this VM to where administrator@vsphere.local or another account can view or make changes to it? Possibly via the CLI?
Let me know your thoughts.
I have been beating my head on this for a few hours.
Thank you in advance!
I was able to correct the issue by creating a new @vsphere.local account on the cluster and propagating the permissions down to the VMs. Thanks for your help gentlemen.
Have you setup AD integration and configured domain accounts with admin permissions? Then you are able to login with that and change the permissions for that particular VM. Or is administrator@vsphere.local the only account to be able to change permissions? If so, I guess you are out of luck.
Yes, AD has been integrated in my vCenter and we did setup a group with admin permissions.
But the admin permissions are not set on this particular VM. Do I add another AD account with administrator permissions and set that globally? Will those permission propagate to the VM?
What about logging in with an account from that group with admin permissions. And then set/change on that particular vm the permissions back for administrator@vsphere.local.
Appears my admin gave the " no access" on the VM for the admin group as well. So basically the admin group and administrator@vsphere.local have no access permissions on this 1 VM. Shouldn't newly created accounts or groups that have administrator privileges on the host with the "propagate to children" propagate onto the VM in question?
Thanks,
If you create a user or group permission on a parent object (for example a host, cluster or vCenter), you have the possibility to activate the option "Propagate to children". So these permissions automatically apply to all dependent child objects (clusters, hosts or VMs).
But permissions on a child object can always override the permissions of a parent object. For example, group A has the role "Administrators" on the cluster level (and is propagated to all children) and you set the permissions on a particular VM to "read-only" for this group A. So, group A only has read-only rights on this VM. But if you remove this permission on the VM, the users of group A have administrative permissions again on this VM.
See: Hierarchical Inheritance of Permissions
sk84, i gave a new user administrator access on the cluster, and the permissions did not propagate to the VM in question.
Any other ideas?
I was able to correct the issue by creating a new @vsphere.local account on the cluster and propagating the permissions down to the VMs. Thanks for your help gentlemen.
Glad we could help. Please close this discussion.