3 Replies Latest reply on Nov 7, 2019 12:51 AM by sk591

    Global Permissions and PSC Services

    ladiesman219 Lurker



      I would like to understand which/how permmission apply to SSO Configuration and Deployment at Administration page and how can I control it.


      What I did so far using the default administrator@vsphere.local account is joined the VCSA to a AD domain, and added an identity source. Next I granted an AD group Admin role in Global Permissions with Propagation to Children enabled. For vCenter object, I have also assigned this group the Administration role with propagation (which it seems it not even needed as permissions are inherited from Global ones).


      When I log with a domain user that is member of the group, I can access most of the usual items (Access Control, Licensing, Plugins), however I cannot access Deployment\System Configiration, SSO\Users and Groups and Configuration. I am receiving unsufficient privileges error. Also I am unable to authenticate to Certificate management.


      As I workaround I was thinking of adding the AD group or AD user as member of Administrators group defined in vsphere.local, this works, but not sure if this is the best practices.


      How can I grant an AD group same permission as the default group in vsphere.local SSO domain?


      I guess it boils down to permission model for PSC. I am runnign 6.7.0 build 14368073