VMware Cloud Community
NFerrar
Enthusiast
Enthusiast

Deployments from vRSLCM fail due to vCenter permissions

We have vRSLCM v8.6.2.0 deployed (as part of a VCF v4.4 deployment) but although the vRSLCM to vCenter role was created automatically and appears to have all the required permissions when we do a vRealize product deployment it fails during the OVF deployment stage (this happened for Workspace ONE Access, vRLI, vROPS and vRNI). Changing the integration user's global permission from the automatically created role group "vRealize Suite Lifecycle Manager to vSphere Integration" to "Administrator" allows it to work but we don't want to leave that in place permanently.

We could just change it to Administrator just for deployments and change it back straight after but I'd rather fix the underlying issue (especially if other things we haven't noticed aren't working correctly either due to missing permissions). I did add some extra permissions to the "vRealize Suite Lifecycle Manager to vSphere Integration" role (after I googled some lab deployments), that didn't help though (and all the permissions in KB 2105932 are there.

7 Replies
stitch_626
Contributor
Contributor

Did you get the info to resolver this or just ended up giving it admin?

Reply
0 Kudos
NFerrar
Enthusiast
Enthusiast

We just give it admin rights before doing any deployments from vRSLCM (and probably will for upgrades in future) and then return it to it's custom role afterwards. I should probably raise an SR for it...

Reply
0 Kudos
mannharry
Hot Shot
Hot Shot

Hello,

It's how actually it works, since if we are doing any task from vrslcm to vrealize suite of products it needs admin access.

Snapshots, power off/on, add a new node, delete the environment (delete the vms), all this can be achieved only if you have admin access.

Its recommended not to make any changes to the vrslcm user.

Regards

Harry

Reply
0 Kudos
NFerrar
Enthusiast
Enthusiast

But why does the deployment process create a new role in vCenter for the user if that role doesn't have the permissions the user needs? Even if that role provides the correct permissions for 99% of operations it should at least be documented for deployment operations you need to grant it the administrator role in vCenter first (I'm not aware that's documented anywhere).

Reply
0 Kudos
mannharry
Hot Shot
Hot Shot

It must be created with admin privileges, not sure what went wrong in your case 

Reply
0 Kudos
NFerrar
Enthusiast
Enthusiast

But SDDC Manager creates the role itself in vCenter when you deploy vRSLCM from it, it's not one you create manually. That role has extensive permissions but not the same amount as the administrator role has. I don't think anything has gone wrong as such (we see the same issue on 4 separate VCF environments we've deployed) it's just the role doesn't have the rights it needs when vRSLCM is deploying vRealize Suite products (using the integration user that is assigned the "vRealize Suite Lifecycle Manager to vSphere Integration" role (this is as per design decision VCF-VRS-vRSLCM-SEC-003 & VCF-VRS-vRSLCM-SEC-004 @ vRealize Suite Lifecycle Manager Design Decisions (vmware.com))

We've not deployed/upgraded to v4.5 yet so possibly the custom role is created with additional permissions in that version but the documentation wording seems to be the same as for v4.4

In reality it's not often we deploy products through vRSLCM so it's minimal hassle to temporarily change the vRSLCM-to-vSphere integration user to have the administrator role when we do and then change it back after. It just caused confusion when we first encountered the issue and I've not come across it documented in a KB or VMware's VCF deployment docs (which are generally excellent) but possibly I've missed it. Our deployments are VCF on VxRail but I don't think that's relevant for this issue.

Reply
0 Kudos
mannharry
Hot Shot
Hot Shot

I have specifically deployed VCF-aware vRSLCM and have imported the Products into that, have also seen some use cases where the new deployment was done for vRA and it had succeeded, if it was issue it would have been a major one by now.

I will check into more on this if possible

Reply
0 Kudos