Solved: Re: Adding users to administrator group doesn't gi...

mephistopoa · ‎07-01-2019

I'm trying to use groups to manage permissions on my vcenter 6.7 lab.If I add users to the builtin Administrators group, nothing happens. I've noticed administrator@vsphere.local account is give administrator role across everything on vcenter, while is also part of the administrator group. Why is that like this? I would expect as long if you are member of a group, then those permissions should apply and there is no need to setup explicit user permissions at any object level.

If I assign users individually permissions on objects it works fine, but when the permissions are setup only at group level, it doesn't work.

Could someone please explain me why this is happening and how to use groups properly to manage permissions going forward?

Thank you!

mephistopoa · ‎07-03-2019

so it seems it was a bug with vcenter 6.7 version I was using or a reboot resolved the problem. I updated it to latest build which also triggered a reboot and now groups as working as it should have been, the procedure I'm doing now is exactly the same as before so clearly bug/update/reboot related. Thanks for your help guys!

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.

View solution in original post

Deso1ator · ‎07-01-2019

Here's what I recommend.

-Create an AD group

-Put users in this group

-Assign the AD group permissions at the highest level object they need permissions

-Check the box to propagate permissions to child resources

That built in Administrator group is not for permissions on objects.

"You can assign vCenter Single Sign On administrator privileges to users who are allowed to manage the Single Sign On server. These users might be different from the users that administer vCenter Server."

VMware vSphere 5.1

LokeshHK · ‎07-01-2019

Hi,

Could you please check administrators@vsphere.local group is present in permissions tab?

or create a new group and provide administrator role for the group and try?

Regards

Lokesh

mephistopoa · ‎07-01-2019

This is for testing, so at the moment I'm not using AD. I'm trying to add users in any way I can at least prove groups work. So far not even something as basic as adding users to the builtin administrators group in vcenter single sign on groups worked, so that means I'm doing something stupidly wrong or indeed groups do not work.

Already already tested propagate to child objects, no luck. The administrator builtin group is already setup for that so it doesn't really matter I guess?

I'm using vcenter 6.7 by the way with web console

mephistopoa · ‎07-01-2019

administrators group is present everywhere in vcenter, it is the default administrators group.

I've created already a new group and assigned users to it, then added the group to permissions tab of vcenter at root level and propagated, no change. I've also tried global groups, no change as well

Deso1ator · ‎07-01-2019

"I've created already a new group and assigned users to it, then added the group to permissions tab of vcenter at root level and propagated, no change. I've also tried global groups, no change as well"

What role did you assign?

mephistopoa · ‎07-03-2019

so it seems it was a bug with vcenter 6.7 version I was using or a reboot resolved the problem. I updated it to latest build which also triggered a reboot and now groups as working as it should have been, the procedure I'm doing now is exactly the same as before so clearly bug/update/reboot related. Thanks for your help guys!

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.

Deso1ator · ‎07-03-2019

You're welcome. Glad to hear it's working for you now.

All

Adding users to administrator group doesn't give them any permissions to see vcenter objects