VMware Cloud Community
rgb99
Enthusiast
Enthusiast

Principal Not Found in UI

I ran an Export Roles & Permissions script from  https://communities.vmware.com/t5/VMware-PowerCLI-Discussions/Export-Roles-Permissions-Privileges-Ex... against our vCenter Servers. There is one particular Principal that I can't find at all in the vCenter UI, but I'd like to remove it. Can it be done via PowerCLI, and how?

rgb99_1-1665605653200.png

Thanks!

 

Reply
0 Kudos
12 Replies
LucD
Leadership
Leadership

That looks like a Role that is defined on the hidden folders.
Is that assigned to a builtin user/group?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
rgb99
Enthusiast
Enthusiast

No. The role is assigned to an AD group. I can't find that AD group anywhere, and propagation for the host, network, datastore, and vm is set to true. I don't know where to find "host, network, datastore, and vm" within vCenter. It seems like it's orphaned but it's still in the export report and in the UI. I can't clean it up.

Reply
0 Kudos
LucD
Leadership
Leadership

Those are hidden folders, but they do exist.

You can see those permissions by using such a hidden folder.

$dcName = 'DC'

Get-Datacenter -Name $dcName | Get-Folder -Name vm | Get-VIPermission


"The role is assigned to an AD group."

I assume you mean there is a permission on the hidden folders using a specific Role where the Principal is an AD account.
Not sure what you mean by "I can't find that AD group anywhere"?
Since that permission is on a hidden folder, you will not be able to see it via the Web client.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
rgb99
Enthusiast
Enthusiast

I tried your commands for each Datacenter and the Principal was not listed.

I also tried the below

Get-VIPermission -Principal "domain\group" |Select *
Get-VIPermission -Principal "domain\group" | Remove-VIPermission
Perform operation?
Removing permission on entity 'Folder-group-h23' for principal 'domain\group' and role 'VM Admins'.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
Remove-VIPermission : 10/13/2022 2:54:25 PM     Remove-VIPermission             The specified entity 'host' is a direct child folder of a
Datacenter. This object always has the same permissions as its parent.
At line:1 char:56
+ ... IPermission -Principal "domain\group" |Remove-VIPermission
+                                                       ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (VMware.Vim.ManagedEntity:ManagedEntity) [Remove-VIPermission], VimException
    + FullyQualifiedErrorId : Client20_InventoryServiceImpl_TryGetEntityId_DatacenterFolder,VMware.VimAutomation.ViCore.Cmdlets.Comm
   ands.PermissionManagement.RemoveVIPermission
Reply
0 Kudos
LucD
Leadership
Leadership

That message seems to indicate the permission was given on the Datacenter, or even on the vCenter level


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
rgb99
Enthusiast
Enthusiast

I have looked at the DC and vCenter levels, including the Global Permissions -- the AD group is not shown. Should I open a case with VMware?

Reply
0 Kudos
LucD
Leadership
Leadership

That seems to be your best option


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
LucD
Leadership
Leadership

On a side note, is that account perhaps the vCLSAdmin account?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
rgb99
Enthusiast
Enthusiast

No, it is not. It's a custom AD group. I will open a case with VMware and let you know the results.

Reply
0 Kudos
rgb99
Enthusiast
Enthusiast

If you're able to follow it, it's SR#22373715710.

Reply
0 Kudos
LucD
Leadership
Leadership

I'm afraid I can't, I'm not a VMW employee. 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
rgb99
Enthusiast
Enthusiast

Well, there isn't much excitement about the resolution. The AD group that couldn't be found anywhere was assigned to a custom Role. There was another AD group assigned to the same role. We ended up assigning the visible AD group to another role and then deleted the existing role. That cleared up the issue but didn't explain how it couldn't be found anywhere.

Reply
0 Kudos