VMware Cloud Community
bazza52
Enthusiast
Enthusiast

Permission issues with Licensed Features

Hi All, I am having licensing issues with VC 2.0.2 similar to this thread on VC 2.5 http://communities.vmware.com/message/858133.

In VC when selecting Configuration - Licensed Features (on any host in the Data Centre), I get the error "Permission to perform this operation was denied". The license details are then blank. The Admin role contains the local admins group, which contains the domain admin group. I have also tried adding my domain account directly into the Admin role.

Logging in directly to host a with the root account, it displays the license information correctly. This only started occurring a few days ago, but I don't believe anything was modified in the environment (or I haven't found it yet Smiley Happy)

Any info would be appreciated!

Reply
0 Kudos
10 Replies
kjb007
Immortal
Immortal

I have seen issues with nested domain accounts. Have you tried using the administrator account from your vc server and see if you get the same result?

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
bazza52
Enthusiast
Enthusiast

Logging on with the VC local admin account works fine - all Licenced Features on all the hosts appear correctly.

Just for testing, I added my domain account directly to the Administrator role, but this hasn't made any difference?

Reply
0 Kudos
kjb007
Immortal
Immortal

The server is having issues talking to the domain. It is strange since VC does not do authentication directly, but through the server itself. I'm assuming that the machine is part of the domain? Can you can log into the machine directly with RDP using your domain account? Is your account in another group that has permissions somewhere else?

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
bazza52
Enthusiast
Enthusiast

The VC is a member server and I can log on directly using my domain account with no problems.

Reply
0 Kudos
hicksj
Virtuoso
Virtuoso

You haven't assigned the local Users or Domain Users (or some other "large" group that contains your account, but not the Local Administrator) a set of permissions somewhere in your VI, have you? By doing so, depending how its been done, it could override the administrative privileges.

i.e. Assinging Read-Only role to the Data Center (with Propogate checked), and associating with the Users group will assign RO to all objects underneath, as permissions assigned lower down in the infrastructure take precedence. The local Admisistrator is NOT a member of these larger groups, therefore will continue to have elevated permissions...

Reply
0 Kudos
bazza52
Enthusiast
Enthusiast

The only role configured is Administrator:

Datacenters - Administrators (local Administrators group has DOMAIN\Domain Admins as a member)

Reply
0 Kudos
hicksj
Virtuoso
Virtuoso

Just to verify, go to Administration. Under the Roles tab, click on each role. Make sure that every role other than Administrator reports "This role is not in use"

Reply
0 Kudos
bazza52
Enthusiast
Enthusiast

That's correct - all the other roles have "This role is not in use"

Reply
0 Kudos
bazza52
Enthusiast
Enthusiast

I talked to VMware Support and apparently the issue is because the administrator role isn't defined at a high enough level. Our set up is;

Hosts & Clusters (no permissions)

--ClusterName (Administrator permission)

Since we don't have permission to add permissions at the Hosts & Clusters level, the fix apparently is to modify the VC database dbo.VPX_ACCESS table, and change the ENTITY_ID value for the group from 2 to 1 (and restart VC service). I will give this a crack out of hours...

Reply
0 Kudos
bazza52
Enthusiast
Enthusiast

Thanks everyone, the database change fixed it all up.

Roles have appeared at the datacenter level, Licensed Features can be accessed correctly now, and also the VMread, VMAdmin and vcbackup groups have appeared in their correct places.

Reply
0 Kudos