VMware Cloud Community
vadm168
Enthusiast
Enthusiast
‎08-09-2018 10:58 AM

Lower level permissions not working?

VCSA 6.5

Hi,

My vCenter has several datacenters below it. I've granted a manager Administrator role at datacenter_1. however, when he tried to add a user in Active Directory, it throws error:

The "Add permission" operation failed for the entity with the following error message.

Not enough privileges to execute this action.

It seems even with Administrator role at the particular datacenter level is not sufficient to grant users permissions to the objects in that datacenter? If so, how do I work around this without giving the manager too much permissions on other datacenters and vCenter levels?

Thanks,

0 Kudos
5 Replies
GayathriS
Expert
Expert
‎08-10-2018 03:48 AM

This may probably add some info here :

Best Practices for Roles and Permissions

Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

regards

Gayathri

0 Kudos
Vijay2027
Expert
Expert
‎08-10-2018 05:03 AM

I just verified in my lab and was able to grant users permissions to the objects in that datacenter (not datacenter level but at cluster level and it's children)

admin1 with administrator privilege at DC level.

pastedImage_1.png

Was able to add user admin2 at cluster level.

pastedImage_2.png

However it fails with same error you mentioned when adding user at DC level.

Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered

0 Kudos
vadm168
Enthusiast
Enthusiast
‎08-14-2018 11:51 AM

Hi Gayathri,

Thanks for the link but I don't see any best practice that can explain this. I think it makes perfect sense for an admin at the data center level to be able to grant other users permissions to the data center itself as needed but it does not seem to be working.

Hi Vijay2027,

Thanks for confirming granting users at objects below the data center works. I just don't understand why it does not allow adding users to the data center level.. If I have 10 clusters in the data center, it means I have to add the same user 10 times to each cluster in order to give the user "full" administrator right to all resources under the data center. It does not quite make sense to me...

Thanks,

0 Kudos
gvs_rambabu
Contributor
Contributor
‎02-11-2019 11:05 PM

Hi vadm168,

Not sure if you managed to resolve the issue however just wanted to mention, as pointed out in the best practices:

++

Use caution when adding a permission to the root vCenter Server objects. Users with privileges at the root level have access to global data on vCenter Server, such as roles, custom attributes, vCenter Server settings.

++

I've noticed even after adding a USER with permission(as ADMINISTRATOR) at root object(vCenter Server) level, still one does not see this USER added or listed under "Global Permissions"(under Home>Administration>Access Control), which makes sense and i hope is the case with you too.

I see if this user is added globally, that should do the trick. Smiley Happy

Yes, i don't however get VMware's thought process behind having to do this when one needs to deal only with a specific vCenter instance & not globally !

0 Kudos
Scottie
Contributor
Contributor
‎08-06-2019 01:42 PM

I had to log in with the VMware vCenter Single Sign-On account and password before it would let me create new roles. :smileyconfused:

0 Kudos