VMware Cloud Community
Admins_IM
Contributor
Contributor
‎10-21-2015 08:15 AM
Jump to solution

Adding datacenter not allowed with Web Client

Just installed a clean instance of vCenter Appliance (6.0.0-3040890).

When the SSO-admin user logs in to the Web Client, it is possible to create a new datacenter.

When a global admin user logs in to the Web Client, the user cannot create a new datacenter: "(Not available)"

When this same global admin user logs in using the vSphere Client, the user can create a new datacenter.

The user was made a global admin by the SSO-admin as follows: Left-side menu: Home -> Administration -> Access control -> Global Permissions -> tab "Manage" -> added the AD-group for which the user is a member.

I cannot find if this is a confirmed bug, or an error on my side with permissions somewhere.

The fact that I can perform the action using the 'old' vSphere client seems to indicate this is a bug.

Thanks in advance for any tips or help.

Mark

1 Solution

Accepted Solutions
brunofernandez1
Expert
Expert
‎10-22-2015 05:38 AM
Jump to solution

have o look at the security guide:

https://www.google.ch/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CDAQFjAEahUKEwj86KKJjNbIAhVEKXIK...

------------------------------------------------------------------------------- If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards from Switzerland, B. Fernandez http://vpxa.info/

View solution in original post

0 Kudos
5 Replies
brunofernandez1
Expert
Expert
‎10-21-2015 08:20 AM
Jump to solution

Hi Mark

do you have tried to restart the webclient after setting your permissions?

I think I've heard allready about similar problems....

------------------------------------------------------------------------------- If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards from Switzerland, B. Fernandez http://vpxa.info/
0 Kudos
Admins_IM
Contributor
Contributor
‎10-21-2015 09:25 AM
Jump to solution

Neither of these helped, unfortunately:

- Restarted the vCenter server

- Restarted the Web Client and cleared browser cache

Additional update: It looks like the Active Directory user cannot do anything (add host, create folder, etc) with the Web client.

Adding the exact same access to root@localos works fine -- So I must be missing something in the access for AD users that I can't find yet, that only affects access with the Web client.

All the actions can be performed with the vSphere client, with any of the admin users, regardless of the source of credentials.

Is there a separate permission for Web client logins, for Active Directory users? (Or I am doing something incredibly stupid)

Kind regards,

Mark

0 Kudos
Admins_IM
Contributor
Contributor
‎10-21-2015 09:38 AM
Jump to solution

Further update: I have found the source of the issue.

1. I had added a group of users to be admins. The permission was granted at the level 'global permissions'

Left-side menu: Home -> Administration -> Access control -> Global Permissions -> tab "Manage" -> added the AD-group for which the user is a member.

2. I had also added a group of users (which does contain the users from the first group) to have read-only access. This permission was added at another spot:

Left-side menu: Home -> vCenter Inventory Lists -> vCenter Servers -> <server> -> Main window: tab "Manage" -> sub-tab "Permissions" -> "+" -> added the bigger AD-group -- The user from #1 is a member of this group too.

For some reason permission #2 overrules the admin permissions granted by #1 for Web Client logins

It does not overrule the admin permissions granted by #1 for vSphere Client logins

Is there a definitive guide on permissions, and most importantly, the effective permissions on vCenter environments?

I have been terribly frustrated by effective permissions before, and the fact that the different clients show different behaviour does not assist in understanding the principles.

Thanks in advance,

Mark

brunofernandez1
Expert
Expert
‎10-22-2015 05:38 AM
Jump to solution

have o look at the security guide:

https://www.google.ch/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CDAQFjAEahUKEwj86KKJjNbIAhVEKXIK...

------------------------------------------------------------------------------- If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards from Switzerland, B. Fernandez http://vpxa.info/
0 Kudos
Admins_IM
Contributor
Contributor
‎10-22-2015 06:27 AM
Jump to solution

Thanks Bruno -- Chapter 4 indeed answers my question about the permission flow: The read-only permission given at a child object overruled the admin-access.

I will mark your reply as an answer.

I cannot explain why the vSphere Client behaved differently though. Perhaps something is bugging there after all, but it works properly as described through the Web Client.

Kind regards,

Mark