5 Replies Latest reply on Aug 6, 2019 1:42 PM by Scottie

    Lower level permissions not working?

    vadm168 Novice

      VCSA 6.5

       

      Hi,

       

      My vCenter has several datacenters below it. I've granted a manager Administrator role at datacenter_1. however, when he tried to add a user in Active Directory, it throws error:

       

       

      The "Add permission" operation failed for the entity with the following error message.

       

      Not enough privileges to execute this action.

       

      It seems even with Administrator role at the particular datacenter level is not sufficient to grant users permissions to the objects in that datacenter? If so, how do I work around this without giving the manager too much permissions on other datacenters and vCenter levels?

       

      Thanks,

        • 1. Re: Lower level permissions not working?
          GayathriS Expert

          This may probably add some info here :

           

           

          Best Practices for Roles and Permissions

           

          Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

           

          regards

          Gayathri

          • 2. Re: Lower level permissions not working?
            Vijay2027 Expert
            vExpert

            I just verified in my lab and was able to grant users permissions to the objects in that datacenter (not datacenter level but at cluster level and it's children)

             

            admin1 with administrator privilege at DC level.

            Was able to add user admin2 at cluster level.

            However it fails with same error you mentioned when adding user at DC level.

             

            Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered

            • 3. Re: Lower level permissions not working?
              vadm168 Novice

              Hi Gayathri,

               

              Thanks for the link but I don't see any best practice that can explain this. I think it makes perfect sense for an admin at the data center level to be able to grant other users permissions to the data center itself as needed but it does not seem to be working.

               

              Hi Vijay2027,

               

              Thanks for confirming granting users at objects below the data center works. I just don't understand why it does not allow adding users to the data center level.. If I have 10 clusters in the data center, it means I have to add the same user 10 times to each cluster in order to give the user "full" administrator right to all resources under the data center. It does not quite make sense to me...

               

              Thanks,

              • 4. Re: Lower level permissions not working?
                gvs_rambabu Lurker

                Hi vadm168,

                 

                Not sure if you managed to resolve the issue however just wanted to mention, as pointed out in the best practices:

                ++

                Use caution when adding a permission to the root vCenter Server objects. Users with privileges at the root level have access to global data on vCenter Server, such as roles, custom attributes, vCenter Server settings.

                ++

                I've noticed even after adding a USER with permission(as ADMINISTRATOR) at root object(vCenter Server) level, still one does not see this USER added or listed under "Global Permissions"(under Home>Administration>Access Control), which makes sense and i hope is the case with you too.

                 

                I see if this user is added globally, that should do the trick.

                 

                Yes, i don't however get VMware's thought process behind having to do this when one needs to deal only with a specific vCenter instance & not globally !

                • 5. Re: Lower level permissions not working?
                  Scottie Novice

                  I had to log in with the VMware vCenter Single Sign-On account and password before it would let me create new roles.