VMware Cloud Community
Crusez
Contributor
Contributor
Jump to solution

Unable to view VM due to permissions

Good Evening,

One of my admins accidentally applied the "no access" permission to a Nutanix CVM for the administrator@vsphere.local account. Thus we are unable to view or making any changes to the VM. We were in the process of upgrading the memory on our CVMs, but can't even view the 1 CVM in question due to permissions.

Is there a way to reset the permissions on this VM to where administrator@vsphere.local or another account can view or make changes to it? Possibly via the CLI?

Let me know your thoughts.

I have been beating my head on this for a few hours.

Thank you in advance!

Reply
0 Kudos
1 Solution

Accepted Solutions
Crusez
Contributor
Contributor
Jump to solution

I was able to correct the issue by creating a new @vsphere.local account on the cluster and propagating the permissions down to the VMs. Thanks for your help gentlemen.

View solution in original post

Reply
0 Kudos
8 Replies
RickVerstegen
Expert
Expert
Jump to solution

Have you setup AD integration and configured domain accounts with admin permissions? Then you are able to login with that and change the permissions for that particular VM. Or is administrator@vsphere.local the only account to be able to change permissions? If so, I guess you are out of luck.

Was I helpful? Give a kudo for appreciation!
Blog: https://rickverstegen84.wordpress.com/
Twitter: https://twitter.com/verstegenrick
Reply
0 Kudos
Crusez
Contributor
Contributor
Jump to solution

Yes, AD has been integrated in my vCenter and we did setup a group with admin permissions.

But the admin permissions are not set on this particular VM. Do I add another AD account with administrator permissions and set that globally? Will those permission propagate to the VM?

Reply
0 Kudos
RickVerstegen
Expert
Expert
Jump to solution

What about logging in with an account from that group with admin permissions. And then set/change on that particular vm the permissions back for administrator@vsphere.local.

Was I helpful? Give a kudo for appreciation!
Blog: https://rickverstegen84.wordpress.com/
Twitter: https://twitter.com/verstegenrick
Reply
0 Kudos
Crusez
Contributor
Contributor
Jump to solution

Appears my admin gave the " no access" on the VM for the admin group as well. So basically the admin group and administrator@vsphere.local have no access permissions on this 1 VM. Shouldn't newly created accounts or groups that have administrator privileges on the host with the "propagate to children" propagate onto the VM in question?

Thanks,

Reply
0 Kudos
sk84
Expert
Expert
Jump to solution

If you create a user or group permission on a parent object (for example a host, cluster or vCenter), you have the possibility to activate the option "Propagate to children". So these permissions automatically apply to all dependent child objects (clusters, hosts or VMs).

But permissions on a child object can always override the permissions of a parent object. For example, group A has the role "Administrators" on the cluster level (and is propagated to all children) and you set the permissions on a particular VM to "read-only" for this group A. So, group A only has read-only rights on this VM. But if you remove this permission on the VM, the users of group A have administrative permissions again on this VM.

See: Hierarchical Inheritance of Permissions

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply
0 Kudos
Crusez
Contributor
Contributor
Jump to solution

sk84, i gave a new user administrator access on the cluster, and the permissions did not propagate to the VM in question.

Any other ideas?

Reply
0 Kudos
Crusez
Contributor
Contributor
Jump to solution

I was able to correct the issue by creating a new @vsphere.local account on the cluster and propagating the permissions down to the VMs. Thanks for your help gentlemen.

Reply
0 Kudos
RickVerstegen
Expert
Expert
Jump to solution

Glad we could help. Please close this discussion.

Was I helpful? Give a kudo for appreciation!
Blog: https://rickverstegen84.wordpress.com/
Twitter: https://twitter.com/verstegenrick
Reply
0 Kudos