Contributor
Contributor

Global Permissions and PSC Services

Jump to solution

Hello,

I would like to understand which/how permmission apply to SSO Configuration and Deployment at Administration page and how can I control it.

What I did so far using the default administrator@vsphere.local account is joined the VCSA to a AD domain, and added an identity source. Next I granted an AD group Admin role in Global Permissions with Propagation to Children enabled. For vCenter object, I have also assigned this group the Administration role with propagation (which it seems it not even needed as permissions are inherited from Global ones).

When I log with a domain user that is member of the group, I can access most of the usual items (Access Control, Licensing, Plugins), however I cannot access Deployment\System Configiration, SSO\Users and Groups and Configuration. I am receiving unsufficient privileges error. Also I am unable to authenticate to Certificate management.

As I workaround I was thinking of adding the AD group or AD user as member of Administrators group defined in vsphere.local, this works, but not sure if this is the best practices.

How can I grant an AD group same permission as the default group in vsphere.local SSO domain?

I guess it boils down to permission model for PSC. I am runnign 6.7.0 build 14368073

0 Kudos
1 Solution

Accepted Solutions
Enthusiast
Enthusiast

Yes, that is the ideal way of allowing AD users to perform administrative tasks.

View solution in original post

3 Replies
Enthusiast
Enthusiast

Hi,

Can you confirm if you have tried the following steps?

Login to vSphere Web Client> Go to Administration -> Single Sign On -> Users and Groups -> select the ADMINISTRATOR group and add the AD account or group.

This should allow the user/group to gain access to all configuration components.

Kind Regards.

0 Kudos
Contributor
Contributor

Hello,

Yes that is what I mean with

As I workaround I was thinking of adding the AD group or AD user as member of Administrators group defined in vsphere.local, this works, but not sure if this is the best practices.

If this is the recommended way, would it mean that I don't really need to set global/object permission for AD Group on its own, since it would naturally inherit every access that the vsphere.local Administrator group has?

0 Kudos
Enthusiast
Enthusiast

Yes, that is the ideal way of allowing AD users to perform administrative tasks.

View solution in original post