VMware Cloud Community
kwg66
Hot Shot
Hot Shot
‎12-22-2016 12:01 PM
Jump to solution

VCSA permissions when using Web Client are not working correctly

I have attempted to deploy the VCSA 6.02  using the migration tool, windows vCenter 5.5 u3a to VCSA 6.02.   the migration went smoothly with a few ruffles due to poorly written documentation, but otherwise, smooth.

However, after extensive testing, my team and I have discovered that the permissions, when in the web client, don't work as expected.  In fact, we have isolated the behavior down to exactly where its broken.   If your user account lies within an Active Directory group that has a hyphen in it, it doesn't seem to recognize the permission.   My same account in a group without a hyphen works fine.   The individual account outside of any group works fine.  and within the fat client everything works fine.

Has anyone else run into this?  

0 Kudos
1 Solution

Accepted Solutions
kwg66
Hot Shot
Hot Shot
‎01-30-2017 07:02 AM
Jump to solution

this issue was resolved by vm support - the Global permissions did not export from vCenter into VCSA during the migration.  Once these permissions were recreated, everything worked as expected.   After the global permissions were put in place, We still needed to perform the reconfig for various users on their objects as recommended, so partial points were awarded.

View solution in original post

0 Kudos
3 Replies
RAJ_RAJ
Expert
Expert
‎12-27-2016 04:49 AM
Jump to solution

Hi,

Please login with SSO Admin and reconfigure the permissions of users it should resolve the issue

RAJESH RADHAKRISHNAN VCA -DCV/WM/Cloud,VCP 5 - DCV/DT/CLOUD, ,VCP6-DCV, EMCISA,EMCSA,MCTS,MCPS,BCFA https://ae.linkedin.com/in/rajesh-radhakrishnan-76269335 Mark my post as "helpful" or "correct" if I've helped resolve or answered your query!
kwg66
Hot Shot
Hot Shot
‎01-04-2017 12:38 PM
Jump to solution

Already tried that, it was a solution found in a post by Frank Denneman.   Didn't work.  This isn't the same issue. 

This issue is specific to accounts that reside in an AD group that has a hyphen in the name, such as vc-admins.   when I take my individual account and add it directly to the object in the inventory it works, even though my account has a hyphen in it as well..   when I take this same account and add it into a new group, without a hyphen in the name, it works.

Has anyone else experienced this?

or -  does anyone who currently uses the VCSA v6 have 5 minutes to create a new AD group with a hyphen in the name, add an account to it, assign that group permissions in vCenter inventory, then log in with that account and test it? 

If I'm correct, you should be denied access to the inventory object in the web client, but not the thick.   (talking 6.02 where the thick client is still around and working).

0 Kudos
kwg66
Hot Shot
Hot Shot
‎01-30-2017 07:02 AM
Jump to solution

this issue was resolved by vm support - the Global permissions did not export from vCenter into VCSA during the migration.  Once these permissions were recreated, everything worked as expected.   After the global permissions were put in place, We still needed to perform the reconfig for various users on their objects as recommended, so partial points were awarded.

0 Kudos