VMware vSphere

I want to create a custom role.

Open VMware Web Client, navigate to mange > Security & Users > Roles.

Then click Add role.

I want the role only can change the VM configure（For Example, Change the VM Memory.）

So, I only select VirtualMachine > Config

Then Click Add.

But, it's failed

What should I do?

1) What is the vCenter version?

2) To confirm, you are using the vCenter Web Client and not the host client right? The reason I'm asking this question is when you try to create a new role in the vCenter, it says 'Create Role'. In the host client, it says 'Add a role'. Here, you are using the Web client and the heading says 'Add a role'.

3) Also, there is no Manage --> Security and Users tab in the Web Client. It is there in the host client.

4) If using the host client, share the ESXi host version and the host client version.

Cheers,

Supreet

I am using the host client.

The ESXi version is 6.5

I don't think this is an issue with the version of the host client. I was able to add the same role on the same version of ESXi host and the host client in my lab. Can you try to re-add the role, note down the exact time stamp and share the hostd.log file from the host?

Cheers,

Supreet

Can you try to re-add the role, note down the exact time stamp and share the hostd.log file from the host?

Cheers,

Supreet

I don't have find the same time log in hostd.log file.

How download hostd.log?

you see an error group lookup itpro\esxadmins failed ? is that the same group you are trying to add ?

I am direct connection to ESXi.

The user name is Root

itpro.local is  domain name of my vCenter Server

I only is create role.

Don't granting user.

Are you able to create role with different permissions ?  i tried to reproduce your issue in my lab, but i am not facing any issue. i can able to create role successfully.

I can't to create role with different permissions

You can either generate the complete log bundle, extract it on your system and locate the hostd.log file under var/run/log or connect to the host using WinSCP application, navigate to var/run/log and copy the hostd.log file to your system.

Cheers,

Supreet

I has been copy the hostd.log file under var/run/log.

How uploading it.

I don't find log of today.

I don't have find the same time log in hostd.log file.

The time stamp in the hostd.log will be in UTC time zone. I will validate the time stamp, no worries. You can attach the file from your comments box -

Cheers,

Supreet

This is log file.

Thanks.

I am local time is  beijing time

Creation of the custom role is failing with an error related to Privilege Manager component -

2018-07-27T17:32:17.737Z verbose hostd[D081B70] [Originator@6876 sub=PropertyProvider opID=a35b512f user=root] RecordOp ASSIGN: info, haTask--vim.AuthorizationManager.addRole-156497097. Applied change to temp map.

2018-07-27T17:32:17.737Z info hostd[D081B70] [Originator@6876 sub=Solo.Vmomi opID=a35b512f user=root] Activation [N5Vmomi10ActivationE:0x0c64c9d8] : Invoke done [addRole] on [vim.AuthorizationManager:ha-authmgr]

2018-07-27T17:32:17.737Z verbose hostd[D081B70] [Originator@6876 sub=Solo.Vmomi opID=a35b512f user=root] Arg name:

--> "Operation"

2018-07-27T17:32:17.737Z verbose hostd[D081B70] [Originator@6876 sub=Solo.Vmomi opID=a35b512f user=root] Arg privIds:

--> (string) [

-->    "VirtualMachine.Config"

--> ]

2018-07-27T17:32:17.737Z info hostd[D081B70] [Originator@6876 sub=Solo.Vmomi opID=a35b512f user=root] Throw vmodl.fault.InvalidArgument

2018-07-27T17:32:17.737Z info hostd[D081B70] [Originator@6876 sub=Solo.Vmomi opID=a35b512f user=root] Result:

--> (vmodl.fault.InvalidArgument) {

-->    faultCause = (vmodl.MethodFault) null,

-->    faultMessage = <unset>,

-->    invalidProperty = "privIds"

-->    msg = ""

--> ]

Not sure what exactly it is failing for. As a workaround, create the custom role using the command line. Below are the steps -

Step-1 --> Create a VM-Config privileges file under /tmp --> Run the command <vi /tmp/VMConfigPR.txt>

Step-2 --> Open the VM-Config privileges file in a vi editor, paste the below content, save and exit out of the vi editor -

VirtualMachine.Config.AddExistingDisk

VirtualMachine.Config.AddNewDisk

VirtualMachine.Config.AddRemoveDevice

VirtualMachine.Config.AdvancedConfig

VirtualMachine.Config.Annotation

VirtualMachine.Config.CPUCount

VirtualMachine.Config.ChangeTracking

VirtualMachine.Config.DiskExtend

VirtualMachine.Config.DiskLease

VirtualMachine.Config.EditDevice

VirtualMachine.Config.HostUSBDevice

VirtualMachine.Config.ManagedBy

VirtualMachine.Config.Memory

VirtualMachine.Config.MksControl

VirtualMachine.Config.QueryFTCompatibility

VirtualMachine.Config.QueryUnownedFiles

VirtualMachine.Config.RawDevice

VirtualMachine.Config.ReloadFromPath

VirtualMachine.Config.RemoveDisk

VirtualMachine.Config.Rename

VirtualMachine.Config.ResetGuestInfo

VirtualMachine.Config.Resource

VirtualMachine.Config.Settings

VirtualMachine.Config.SwapPlacement

VirtualMachine.Config.ToggleForkParent

VirtualMachine.Config.UpgradeVirtualHardware

**If you are not comfortable with the vi editor, download the file attached to this reply. I have created the file for you. You can just upload it to /tmp location on the ESXi host**

Step-3 --> Create the role --> Run the command <vim-cmd vimsvc/auth/role_add VM-Config $(cat /tmp/VMConfigPR.txt | awk '$1=$1' ORS=' ')> --> VM-Config is the name of the role. Change it as required.

Step-4 --> In the host client. go to Manage --> Security and Users --> Roles --> Refresh - New role should be listed.

Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

Cheers,

Supreet

This is ESXi 6.5 issue.

I using ESXi 6.7 is OK.

I recommend applying the patches on the esxi.

Please consider marking this answer "correct" or "helpful" if you think your question have been answered correctly.

To Create a role go to administration -> Access control -> roles -> create role

I am direct access ESXi host.

Not vCenter Server

Update the embedded host client to latest, ESXi Embedded Host Client

I recommend update of the  host client.

ESXi Embedded Host Client

Step to step:

HOW TO: Install ESXi Embedded Host Client

You will have:

1 - Copy vib to datastore

2 - esxcli software vib install -v /vmfs/volumes/<StoreName>/<FolderName>

Please consider marking this answer "correct" or "helpful" if you think your question have been answered correctly.

as900w​ Can you confirm if the command line steps provided in my previous reply helped you?

Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

Cheers,

Supreet

I am sorry.

I don't try.

Because I has been upgrade ESXi Server to 6.7.

It's oK.

Cool, request you to close the thread accordingly :smileyhappy:

Cheers,

Supreet

OK. Thanks for your help!