I'm trying to use groups to manage permissions on my vcenter 6.7 lab.If I add users to the builtin Administrators group, nothing happens. I've noticed administrator@vsphere.local account is give administrator role across everything on vcenter, while is also part of the administrator group. Why is that like this? I would expect as long if you are member of a group, then those permissions should apply and there is no need to setup explicit user permissions at any object level.
If I assign users individually permissions on objects it works fine, but when the permissions are setup only at group level, it doesn't work.
Could someone please explain me why this is happening and how to use groups properly to manage permissions going forward?
Thank you!
so it seems it was a bug with vcenter 6.7 version I was using or a reboot resolved the problem. I updated it to latest build which also triggered a reboot and now groups as working as it should have been, the procedure I'm doing now is exactly the same as before so clearly bug/update/reboot related. Thanks for your help guys!
---------------------------------------------------------------------------------------------------------
Was it helpful? Let us know by completing this short survey here.
Here's what I recommend.
-Create an AD group
-Put users in this group
-Assign the AD group permissions at the highest level object they need permissions
-Check the box to propagate permissions to child resources
That built in Administrator group is not for permissions on objects.
"You can assign vCenter Single Sign On administrator privileges to users who are allowed to manage the Single Sign On server. These users might be different from the users that administer vCenter Server."
Hi,
Could you please check administrators@vsphere.local group is present in permissions tab?
or create a new group and provide administrator role for the group and try?
Regards
Lokesh
This is for testing, so at the moment I'm not using AD. I'm trying to add users in any way I can at least prove groups work. So far not even something as basic as adding users to the builtin administrators group in vcenter single sign on groups worked, so that means I'm doing something stupidly wrong or indeed groups do not work.
Already already tested propagate to child objects, no luck. The administrator builtin group is already setup for that so it doesn't really matter I guess?
I'm using vcenter 6.7 by the way with web console
administrators group is present everywhere in vcenter, it is the default administrators group.
I've created already a new group and assigned users to it, then added the group to permissions tab of vcenter at root level and propagated, no change. I've also tried global groups, no change as well
"I've created already a new group and assigned users to it, then added the group to permissions tab of vcenter at root level and propagated, no change. I've also tried global groups, no change as well"
What role did you assign?
so it seems it was a bug with vcenter 6.7 version I was using or a reboot resolved the problem. I updated it to latest build which also triggered a reboot and now groups as working as it should have been, the procedure I'm doing now is exactly the same as before so clearly bug/update/reboot related. Thanks for your help guys!
---------------------------------------------------------------------------------------------------------
Was it helpful? Let us know by completing this short survey here.
You're welcome. Glad to hear it's working for you now.