VMware Cloud Community
Dragonstrike
Contributor
Contributor

Account with administrator role doesn't have full right on a single virtual machine

My domain account has administrator role on vCenter, therefore I have full privilege on my vCenter environment.

But today I see that my account doesn't have full right on some single virtual machines.

I cannot move them among folders in VMs and Templates, cannot remove them out of Inventory to re-add them again, cannot migrate them..

pastedImage_0.png

Meanwhile, I have full privilege on all other virtual machines in the same folder and in vCenter environment as well.

This is strange, does anyone of you know why?

Thanks.

Reply
0 Kudos
10 Replies
npadmani
Virtuoso
Virtuoso

permission assigned at higher object levels can be overridden at lover object level for particular user account.

in vSphere Client, select your VM and navigate to Permissions Tab, see what's listed as associated role for your user account.

I am sure you will find that your user doesn't have effective administrator role on this VM.

Please also consider group membership for your user account. and roles associated with those groups on this VM.

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified
Reply
0 Kudos
Dragonstrike
Contributor
Contributor

Here is screenshot on permissions tab of the virtual machine which my account doens't have full right:

pastedImage_1.png

My user account is the entry in the bottom, it has administrator role on the whole vCenter, except some VMs like this one.

Reply
0 Kudos
npadmani
Virtuoso
Virtuoso

so, your user account is <yourdomain>\cqa

please double check if this account is already member of one of those group accounts which are also part of this permission tab. If you find this same user in any of those group, then check role associated with that group.

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified
Reply
0 Kudos
greco827
Expert
Expert

Make sure the access for the account is at the vCenter level and set to propagate.  Also, if it is just one VM, make sure it doesn't have an active task.  I've had this happen most commonly with a VMware Tools installation that hung, and while there was nothing in the tasks panel, the summary tab of the VM showed: Active Task: Installing VMware Tools.

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
Reply
0 Kudos
Dragonstrike
Contributor
Contributor

Hi,

yes, I've checked all that you suggested.

also checked all the roles. They looks ok. Administrator role is read-only and propagated, inherited to sub objects.

This issue is tricky Smiley Sad

Reply
0 Kudos
npadmani
Virtuoso
Virtuoso

and I guess you have also checked those bits addressed by greco827, like your VM doesn't have any active tasks stuck half way through.

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified
Reply
0 Kudos
Dragonstrike
Contributor
Contributor

Yes, of course.

No active tasks on it.

Reply
0 Kudos
greco827
Expert
Expert

I'm confused by this statement .... " Administrator role is read-only and propagated, inherited to sub objects."  Why is Administrator read-only?

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
Reply
0 Kudos
Dragonstrike
Contributor
Contributor

I mean that built-in role is non-editable.

pastedImage_0.png

Reply
0 Kudos
npadmani
Virtuoso
Virtuoso

Login using administrator@vsphere.local account, this will be full administrator on your vCenter inventory if there were no modifications done.

and you can correct role assignments.

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified
Reply
0 Kudos