"Cannot delete or deactivate the last system administrator" error when disabling local System level users in vCloud Director for Service Providers
search cancel

"Cannot delete or deactivate the last system administrator" error when disabling local System level users in vCloud Director for Service Providers

book

Article ID: 320538

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

Symptoms:
  • Attempting the Disable Account action on a local user at the System level in vCloud Director fails with an error:
Cannot delete or deactivate the last system administrator
 
  • User has a custom System level role other than the default System Administrator role.
  • LDAP and SAML users can be disabled and deleted without issue.


Environment

VMware Cloud Director for Service Provider 9.0.x
VMware Cloud Director for Service Provider 9.x

Cause

This issue occurs due to vCloud Director always expecting to have one local System Administrator present and enabled.
When the Disable Account action is performed against a user which uses another type of System role vCloud Director incorrectly assesses this against the current number of System Administrators causing the error.
System users added from LDAP or SAML identity sources are not affected by this behaviour.

Resolution

This issue is due to be resolved in a future release of vCloud Director for Service Providers.

Workaround:
To workaround the issue create an additional local System Administrator such that there are two present and enabled:

1) Log into the vCloud Director UI as a System Administrator.
2) Navigate to System, Administration, System Administrators & Roles, Users.
3) Click the green plus icon to create a new local user. Fill in the details as desired and ensure that the default System Administrator role is chosen under the Role section. Click OK to then create this user.
4) After creating this user ensure that there are two System Administrator users of the Local type visible and enabled.
5) Retry the Disable Account action on the user which previously failed and it should now succeed.

An alternative workaround is to change the role of the user to be disabled from the configured to the default System Administrator role however this may cause the user to have more rights than desired if the user is subsequently re-enabled:

1) Log into the vCloud Director UI as a System Administrator.
2) Navigate to System, Administration, System Administrators & Roles, Users.
3) Open the properties of the user which you wish to disable.
4) Under the Role section select System Administrator from the drop down list and click OK to apply the change.
5) With the user now changed to the System Administrator role retry the Disable User action and it should now succeed as long as there is also another local System Administrator user present.