Have a vCenter 5 instance with the following permissions set at the root:
- AD group "vAdmins" granted Administrator role
- vCenter server's local Windows Administrators group set to "No Access"
- vAdmins is a member of the local Administrators group on the vCenter server
So, as I understand it, granted at the same level in vCenter, the permissions combine. So despite vAdmins being a member of the local Administrators group on the vCenter server, they will get the Administrator roles in vCenter because it is also granted at the same level.
We've been set this way for some time with no issue for any users in the vAdmins group.
However, we recently setup both vCOPs and SRM with the vSphere replication (VRS) appliances. Both vCOPs and VRS are linux based VMware appliances and use vCenter permissions to control access.
Both vCOPs and VRS were giving permission errors for any members of vAdmins. vCOPs would not allow them to login at all, and when signing into SRM, VRS would pop up and error "access denied" to the VRS servers.
Deleting the local Administrators group at the root which was set to No Access fixed both vCOPs and VRS access for vAdmins.
So...vCenter is combining Administrator and No Access at the same level and granting Administrator.
vCOPs and VRS are combining Administrator and No Access at the same level and granting No Access.
This a bug?