[VMC on AWS] Reset cloudadmin account global permission
book
Article ID: 323641
calendar_today
Updated On:
Products
VMware Cloud on AWS
Issue/Introduction
Provides details about how to troubleshoot and fix the issue
Symptoms:
The cloudadmin user/group would be explicitly defined in the global permission with a role (custom or pre-defined roles like Read-only role) which has lesser privilege than the CloudAdmin role
The permission may also be defined at the vCenter and all its child workload object levels as well
Trying to delete that explicit permission or to assign it CloudAdmin role will throw "Insufficient Privilege" error since at its current state, cloudadmin user has a role which has lesser privileges than the CloudAdmin role.
Cause
A new permission was explicitly created for VMC.LOCAL\cloudadmin with a role which has lesser privileges than CloudAdmin.
While creating the permission, if "Propagate to children" option is selected, this permission can also be seen at the vCenter and all its child workload object level
Resolution
The cloudadmin account is a member of the CloudAdminGroup. This group has the role CloudAdmin defined at the global permission level (with "Propagate to children") set by default. Hence, there is no requirement to explicitly define permissions for VMC.LOCALl\cloudadmin user.
Refer to the below points to remediate the issue:-
If Active Directory integration is present in the VMC on AWS vCenter, check if any of the existing AD users have the CloudAdmin role.
If there are AD users having the CloudAdmin role, they can delete the permission set for VMC.LOCALl\cloudadmin user.
If there are no AD users having the CloudAdmin role, please raise a support request with VMware so that they can get this remediated.
If Active Directory integration is not present in the VMC on AWS Center, please raise a support request with VMware so that they can get this remediated.
As a best practice, never modify the roles associated with the local users defined in VMC on AWS.