Every time the ESXi server is rebooted, it appears that it resets all of the permission sets to default. This includes users, or roles, that are created through the web interface or using esxcli.
For instance, if I create a user named test and assign it the administrator role, it works until the machine is rebooted. After reboot, a check of the permissions shows that root is once again the only user assigned to this role. While the Administrator role is used as an example here, it also applies to user defined roles as well.
Any ideas?
Answer from VMWare is that root demoting is no longer supported.
Is this a single server, or a server part of a cluster, and if so was it created using auto deploy?
This is a single server and it was created using a customized kickstart.
Ok, I can further refine the problem. Create a new user and add it to the "Admin" group and the run the following snippet:
# Demote Root
l_rootTestPrivileges='VirtualMachine.Interact.PowerOn
VirtualMachine.Interact.PowerOff
VApp.PowerOn
VApp.PowerOff
VirtualMachine.Interact.Suspend
VApp.Suspend
Host.Config.AutoStart
'
vim-cmd vimsvc/auth/role_add RootTest $l_rootTestPrivileges
vim-cmd vimsvc/auth/entity_permission_add vim.Folder:ha-folder-root root false RootTest true
This will immediately log you out and if you created a script file to execute it, the script will be gone, which implies that there may be other rollbacks as well. The new "Admin" account and restrictions will be in place and functional until you reboot. After the reboot, the permissions have been reset, the script is gone and changing any permissions after this point will get rolled back on next reboot.
BTW, this worked perfectly fine in 6.0 update 3 and produced the desired configuration.
Answer from VMWare is that root demoting is no longer supported.