We´re in the process of installing a new vCenter environment. (vSphere 6.5 vCSA, ESXi 6.5 Hosts)
Since 4 weeks we are configuring this new environment and everything seemed to be running without an error, till now.
In the vSphere Web Client (and also in the HTML5 client) i could no longer see that access roles are used at the global level. (global permission) At first it thought it is a display error. But soon i could confirm that every new permission no longer has a effect. My tests on this error showed the following:
-New permissions on the global level no longer had an effect
-Access roles no longer showed the usage of this role at the global level
-When i create new permissions on the global level they are saved but not inherited. Additionaly a new permission at the vCenter level shows up. This new permission at the vCenter level is then shown under access role usage but not the permission at the global level.
-List permissions with PowerCLI (get-vipermission) also didn´t show the usage at the global level
-Comparing the access rights of this new 6.5 installation with a other running 6.0 installation showed a difference in the default access rights. The right for the vSphere web client was set to the "ReadOnly" role at the global level. I tried to set it to the "Administrator" role, but this didn´t had a effect. (Of course i rebooted the vCSA after changing that.)
Of course there is a chance that i made a mistake while creating new permissions. Especially the "ReadOnly" role for the vSphere web client makes me wonder.
But the situation is that somehow global settings are no longer inherited to lover level objects in the vSphere hierarchy.
Of course i asking for suggestions what i can check to find the root cause of this problem and solve it.
Is there maybe a way to reset vCenter permissions to the default so i could start new from scratch?
In the meantime i could analyze this behavior with a fresh new install of a vCenter appliance. Luckily it seems to be only a display error of inherited global permissions. My first tests put me in the wrong direction because of combined permissions from different roles and permissions set at different levels gave me random results.
After spending some time with a fresh new install in the lab i could no longer see a functional impact.
I´ve described the problem in detail with screenshots in a blog post.
I will open a case with VMware support soon. Hope they can repair this.