We have recently upgraded our vCenter from 6.0 to 6.7, build 11727113. After the upgrade, we have experienced what seems to be a bug regarding assigning privileges to objects like VMs, or folders on vCenter.
My user is a part of a group 'Administrators', which has global Administrator Permissions.
The problem I am experiencing right after the upgrade is when I try to add permissions to a local vCenter user using my administrator account, I get the following error:
"The requested change cannot be completed because it could leave the system without full administrative privileges for a user or group."
After doing a bit of googling I stabled on this only post that addresses the error: VMware Knowledge Base
From what it seems like, it has nothing to do with the issue I have, since I am not trying to do anything with users that have global Permissions, I am just trying to give some permissions to the newly created user on vCenter. This makes infrastructure virtually unusable, and the only right way I see it to just reinstall vCenter(which will require downtime, that I would really like to avoid) which might not even solve the issue.
My colleague has recently tried to reproduce the issue with the same vCenter, and he didn't have the same issue. So the issue might be exactly during the upgrade process and not fresh install
What we found different, is that global permissions on our infrastructure currently look something like this:
And this is what fresh install looks like:
We have used Migrate to the vCenter Server Appliance - VMware vSphere Blog to migrate
I have this same issue now that I've upgraded to 6.7U1 from 6.5. The vCenter object is not showing Global Permission inheritance under the "Permissions" tab. I can add a user to the Global Permissions as Administrator but with no inheritance the permissions are applied to the child objects. I cannot add them to the vcenter object, datacenter object, cluster object, etc without the error message you are receiving.
Before doing the upgrade this user was in the Global Permissions area as Administrator and could log in to vCenter.
I think overall that is just a migration process problem. We ended up deciding to installing 6.7 from clean, and manually transfering the configuration.
Some things like folder structures could be migrated from the old infrastructure by powercli (there are couple articles on that)
Overall, this seems to be a very recent issue, since I couldn't find anything related to that :smileycry:
I upgraded an identical vCenter on a different network at the same time and do not permission issues; very frustrating.
I have a support ticket open with VMware with a call scheduled for tomorrow. I'll report back if we find any solutions.
VMware could not find a solution during our support call. With no confidence in the vCenter installation I opted to start from scratch. My new vCenter is working great.
There seems to be some issue with the migration process, probably tied to the internal PSC. I provided all the logs I could to the engineer with the hopes that in future releases this issue will be solved.
We encountered this issue when updating 6.7 and Level 2 support resolved this issue and reported the following:
Found 3 entries for SSO administrator in accounting vcenter database and cleared 2 extra entries from the database.
I know this is an old thread but I'm working on a 6.7 system and am having the exact same issue. Wonder if anyone has steps to check database entries as posted above? Or anything else to try?
In case anyone sees this thread in the future here's what I did to fix it.
1. Take a snapshot of the vCenter server.
2. Connect to vCenter database:
root@VCSA [~]# /opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres
3. Run the following SQL query to show SSO Administrator account info:
VCDB=# Select id, principal, role_id, entity_id, flag, surr_key from vpx_access;
4. You may see multiple entries for the SSO Administrator account. You need to delete the extras, leaving only the first entry (in the example below we'll delete 706 and 1201):
id | principal | role_id | entity_id | flag | surr_key
1 | VSPHERE.LOCAL\Administrator | -1 | 1 | 1 | 1
410 | VSPHERE.LOCAL\AdminCDW | -1 | 30 | 1 | 6
411 | VSPHERE.LOCAL\AdminCDW | -1 | 48 | 1 | 7
412 | VSPHERE.LOCAL\AdminCDW | -1 | 36 | 1 | 8
706 | VSPHERE.LOCAL\Administrator | -1 | 20495 | 1 | 10
1201 | VSPHERE.LOCAL\Administrator | -1 | 1 | 1 | 15
5. Stop the VPXD service:
root@VCSA [~]# service-control --stop vmware-vpxd
6. Delete the extra SSO Administrator entries:
VCDB=# Delete From vpx_access WHERE id in (706,1201);
7. Exit the SQL prompt:
8. Start the VPXD server:
root@VCSA [~]# service-control --start vmware-vpxd
9. You should now be able to modify permissions.