Solved: Re: Lost permissions on vCenter Server 4.0.162856 ...

darrondo · ‎10-28-2009

Good morning.

We have a VMware infrastructure in which each person has several virtual machines, as well as several vlans for their private use. To avoid the possibility of users messing up with other people's machines or vlans, today I started testing different role settings. During one of those tests, I believe I ran into a bug.

I tried to assign read-only access to the "Users" group to our distributed virtual switch so that people could use the vlans but not modify them. Since it is not possible to assign permissions to a virtual switch directly, what I did was creating a folder and assigning the permissions there. The problem is that, as soon as I configured the permissions for the "Users" group, these permissions were apparently applied to the "Administrators" one, so, as a result of it, I'm unable to manage the vlans any longer even from the administrator account.

I took a screenshot of the permission configuration, showing also that I'm unable to modify anything. It's available at the following link

http://img408.imageshack.us/img408/5048/screeenshot.jpg

I would be very interested in knowing if this is a known bug, but more importantly, if there is any way I can roll back to the previous configuration. I assume it would be possible to restore the previous configuration by editting the SQL database directly, but, unfortunately, I don't know what I would need to change there

Any assistance would be greatly appreciated

Daniel

cryptonym · ‎10-28-2009

ok, back up your database first... and I'm just a hacker at heart, not vmware support, so I'm not responsible for anything if this goes wrong, but...

On your SQL server, open the VPX_ACCESS table, and look for a line with ROLE_ID of -2, which is READ ONLY, and with the PRINCIPAL of "users". Then delete it.

That should fix it. You may need to reboot the vcms server to reread it though. If you made any other changes to administrators, they will show in the same table, and can be altered/repaired in the same way.

FYI, ROLE_ID of -1 is the administrator privilege.

View solution in original post

cryptonym · ‎10-28-2009

I tripped across that landmine long ago in VI3.5. The simple fix is to remove your account (Administrator?) from the "USERS" group in Windows (on the vCenter server). That will promote you back to admin level. Then, NEVER use the "users" group as a management container again. Actually, I never use any of the Windows supplied groups for vCenter access. Windows admins are used to tweaking things too often with these, so I specify my own groups that all start with VM (i.e. VM ADMINS). This makes the roles separate and clear to all.

Note, I do not use Active Directory in our environment, so I can't speak on how to fix this in AD, though I suspect it will be substancially the same.

Hope this helps.

Warren

darrondo · ‎10-28-2009

Thanks for your answer, unfortunately, I don't think it applies here, because my user (the windows default "Administrator") is only member of the "Administrators" group. I also tried with the user "darrondo" also member only of the adminstrators group, but got the same result.

Just to confirm, we are not using AD, just users locally defined

cryptonym · ‎10-28-2009

ok, back up your database first... and I'm just a hacker at heart, not vmware support, so I'm not responsible for anything if this goes wrong, but...

On your SQL server, open the VPX_ACCESS table, and look for a line with ROLE_ID of -2, which is READ ONLY, and with the PRINCIPAL of "users". Then delete it.

That should fix it. You may need to reboot the vcms server to reread it though. If you made any other changes to administrators, they will show in the same table, and can be altered/repaired in the same way.

FYI, ROLE_ID of -1 is the administrator privilege.

darrondo · ‎10-28-2009

It worked perfectly! Thank you vey much

All

Lost permissions on vCenter Server 4.0.162856 - Possible bug?