VMware Cloud Community
kernelphr34k
Contributor
Contributor
‎03-27-2013 02:39 PM

Permission To Perform this operation was denied as an admin

Hi All,

I have another admin who is trying to modify permissions of a user on a specific datacenter who is getting the following error:

#############################################################################################

Permission To Perform this operation was denied

You do not hold privilage "Permissions > Modify permisssions" on datacenter " Test"

Error Stack:

Call "AuthorizationManager.SetEntityPermissions" for object "AuthorizationManager" on vCenter Server "vCenter Server FQDN" failed.

#############################################################################################

My other administrator we will call Suzy has the admin role for the datacenter she admins. She is trying to change the role of a user from "Virtual Machine User" to "Virtual Machine Power user" and getting the above error.

I'm also an admin and I was able to make the change... I'm set as admin in the admin group on the vCenter server vs Suzy is set as admin via a role in vCenter. AFAIK, this should have no ill affect.

I'm stumped, and ideas, suggestions?

Environment:

vCenter Server 5.0.0, 623373

0 Kudos
4 Replies
TheAbstract
Enthusiast
Enthusiast
‎03-27-2013 06:45 PM

So you've got in your Datacenter you've got a user or group with the administrator role assigned (of which Suzy is a member), are the permissions propagating to child objects? Because the local administrators group has access defined at the VC level and it propagates to everything by default.

I got 99 problems and a vSwitch ain't one.
0 Kudos
kernelphr34k
Contributor
Contributor
‎03-27-2013 08:06 PM

TheAbstract, Thanks for the reply!

The 'administrator' role for Suzy is propagated at the datacenter and to all child objects in it.. Same as the other user she is trying to change. She is trying to change the role for a user in the same datacenter.

0 Kudos
TheAbstract
Enthusiast
Enthusiast
‎03-27-2013 08:19 PM

Are there any other overriding permissions lower in the tree? Eg, is Suzy a member of the Read-Only group somewhere?

It might be a good time to look at auditing your vSphere permissions, creating a new AD group (Local vCenter Server Admins(or something)) and giving it Admin rights to your vCenter objects, making sure it works and then removing the permissions to vCenter from the local Administrators group. Creating a read only AD group (vCenter Read only) and applying it to the vCenter objects and so on and so forth.

I got 99 problems and a vSwitch ain't one.
0 Kudos
kernelphr34k
Contributor
Contributor
‎03-28-2013 01:42 PM

TheAbstract, There is no overriding permissions lower in the datacenter tree. We are pretty anal with setting up permissions for anyone in our vcenter. We have 10+ Datacenters with at least 3-5 hosts in each. For this particualr datacenter we have 3 people set with the 'administrator' role, and Suzy is one of them.

I had Suzy do more testing.. She cant add or change permissions at the Datacenter level... but within the datacenter she can modify and add users, change pemissions etc.

I asked someone  else within the same datacenter and same permissions as Suzy and he is able to modify users, add users and change their role. very odd!

So two people with same pemissions, Once can add users and change permissions at the datacenter level, the other can't. VM support is only part of my job, so I'm not dedicated to fixing this effort 100% right now. But I do apprecaite the help! Smiley Happy

0 Kudos