Provide a scripted method to create a script to bulk modify permissions in vpx_access.
After changing Identity sources from IWA, ADFS MFA the identity source is used as an alias, and the permissions have to be recreated because the MFA only recognized the FQDN of the AD domain name and not the alias version so all permissions need to be recreated for that domain.
After reconfiguring the vCenter to use ADFS, there is a need to modify all permissions from DOMAIN\XXX to FULLDOMAIN\XXX in order for them to work.
Important: Before proceeding, please make sure to take a proper snapshot of the VCSA. If the VCSA is in linked mode (ELM), take offline snapshots of all linked VCSAs.
Note: This script will prompt for the ALIAS and the DOMAIN information needed to Normalize in order to fix the Permissions issue for ADFS/LDAP.
If there are object_x_x_x-level permissions with the wrong/mismatching ALIAS(s) in the vCenter (NOT GLOBAL PERMISSIONS), this script can find and change existing ALIAS(s) in the vpx_access table of the VCDB to match the given ALIAS/DOMAIN Name.
The script will also run pg_dump to create a unique plain format dump of the vpx_access table for extra safety measure; however restoring it back involves dropping or truncating the table.
Connect to VCSA via SSH as root user.
Upload script to the VCSA (e.g. WinSCP, etc.).
Stop the "vpxd" service before performing any maintenance on the VCDB.
service-control --stop vmware-vpxd
/opt/vmware/vpostgres/current/bin/psql -U postgres VCDB -c "select * from vpx_access;"
python fixalias.py
Note: To proceed with script, "Y" is case sensitive. /opt/vmware/vpostgres/current/bin/psql -U postgres VCDB -c "select * from vpx_access;"
service-control --start vmware-vpxd
The new domain permissions should be reflected in the UI.