8 Replies Latest reply on Oct 13, 2018 12:00 PM by RickVerstegen

Unable to view VM due to permissions

Crusez Oct 12, 2018 11:30 PM

Good Evening,

One of my admins accidentally applied the "no access" permission to a Nutanix CVM for the administrator@vsphere.local account. Thus we are unable to view or making any changes to the VM. We were in the process of upgrading the memory on our CVMs, but can't even view the 1 CVM in question due to permissions.

Is there a way to reset the permissions on this VM to where administrator@vsphere.local or another account can view or make changes to it? Possibly via the CLI?

Let me know your thoughts.

I have been beating my head on this for a few hours.

Thank you in advance!

1. Re: Unable to view VM due to permissions

RickVerstegen Oct 13, 2018 12:03 AM (in response to Crusez)

Have you setup AD integration and configured domain accounts with admin permissions? Then you are able to login with that and change the permissions for that particular VM. Or is administrator@vsphere.local the only account to be able to change permissions? If so, I guess you are out of luck.
Like Show 0 Likes(0)

Actions
2. Re: Unable to view VM due to permissions

Crusez Oct 13, 2018 6:59 AM (in response to RickVerstegen)

Yes, AD has been integrated in my vCenter and we did setup a group with admin permissions.

But the admin permissions are not set on this particular VM. Do I add another AD account with administrator permissions and set that globally? Will those permission propagate to the VM?
Like Show 0 Likes(0)

Actions
3. Re: Unable to view VM due to permissions

RickVerstegen Oct 13, 2018 7:07 AM (in response to Crusez)

What about logging in with an account from that group with admin permissions. And then set/change on that particular vm the permissions back for administrator@vsphere.local.
Like Show 0 Likes(0)

Actions
4. Re: Unable to view VM due to permissions

Crusez Oct 13, 2018 7:13 AM (in response to RickVerstegen)

Appears my admin gave the " no access" on the VM for the admin group as well. So basically the admin group and administrator@vsphere.local have no access permissions on this 1 VM. Shouldn't newly created accounts or groups that have administrator privileges on the host with the "propagate to children" propagate onto the VM in question?

Thanks,
Like Show 0 Likes(0)

Actions
5. Re: Unable to view VM due to permissions

sk84 Oct 13, 2018 7:41 AM (in response to Crusez)

If you create a user or group permission on a parent object (for example a host, cluster or vCenter), you have the possibility to activate the option "Propagate to children". So these permissions automatically apply to all dependent child objects (clusters, hosts or VMs).

But permissions on a child object can always override the permissions of a parent object. For example, group A has the role "Administrators" on the cluster level (and is propagated to all children) and you set the permissions on a particular VM to "read-only" for this group A. So, group A only has read-only rights on this VM. But if you remove this permission on the VM, the users of group A have administrative permissions again on this VM.

See: Hierarchical Inheritance of Permissions
Like Show 0 Likes(0)

Actions
6. Re: Unable to view VM due to permissions

Crusez Oct 13, 2018 9:05 AM (in response to sk84)

sk84, i gave a new user administrator access on the cluster, and the permissions did not propagate to the VM in question.

Any other ideas?
Like Show 0 Likes(0)

Actions
7. Re: Unable to view VM due to permissions

Crusez Oct 13, 2018 9:34 AM (in response to Crusez)

I was able to correct the issue by creating a new @vsphere.local account on the cluster and propagating the permissions down to the VMs. Thanks for your help gentlemen.
Like Show 0 Likes(0)

Actions
8. Re: Unable to view VM due to permissions

RickVerstegen Oct 13, 2018 12:00 PM (in response to Crusez)

Glad we could help. Please close this discussion.
Like Show 0 Likes(0)

Actions