Error 'Add permission failed! - The object or item referred to could not be found' when assigning a Custom Role
search cancel

Error 'Add permission failed! - The object or item referred to could not be found' when assigning a Custom Role

book

Article ID: 336293

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • When applying a custom role to a user or group within the Inventory, the assignment fails with “Add permission failed! - The object or item referred to could not be found”

 

  • When applying a custom role to a user or group under Global permission, the assignment fails with “Add permission failed! – Internal Error”



  • /var/log/vmware/vpxd-svcs/authz-event.log:

    [timestamp] [tomcat-exec-123 [] INFO  AuthorizationService.AuditLog  opId=] Action performed by principal(name=VSPHERE.LOCAL\Administrator,isGroup=false):Update role Id=140#######,Name=Test-Role  ,Description= ,Tenant=Privileges=[Alarm.Acknowledge, Alarm.Create, Alarm.DisableActions, Alarm.ToggleEnableOnEntity, Alarm.Edit, Alarm.Delete, Alarm.SetStatus, Certificate.Manage, ExternalStatsProvider.Register, ExternalStatsProvider.Unregister, ExternalStatsProvider.Update, Folder.Create, Folder.Delete, Folder.Move, Folder.Rename]

  • /var/log/vmware/vpxd/vpxd.log:

    [timestamp] info vpxd[06926] [Originator@6876 sub=UserDirectorySso opID=########-##-auto-ih-h5:########-b] GetUserInfoInternal(vsphere.local\NEW_USER_TEST_PERMISSION, true) res: VSPHERE.LOCAL\NEW_USER_TEST_PERMISSION
    [timestamp] info vpxd[06926] [Originator@6876 sub=vmomi.soapStub[10] opID=########-##-auto-ih-h5:########-b] SOAP request returned HTTP failure; <<cs p:00007fd850004a00, TCP:localhost:1080>, /sso-adminserver/sdk/vsphere.local>, method: findDirectParentGroups; code: 500(Internal Server Error); fault: (sso.fault.InvalidPrincipalFault) {
    -->    faultCause = (vmodl.MethodFault) null,
    -->    faultMessage = <unset>,
    -->    principal = "[email protected]"
    -->    msg = "Received SOAP response fault from [<<cs p:00007fd850004a00, TCP:localhost:1080>, /sso-adminserver/sdk/vsphere.local>]: findDirectParentGroups
    --> The specified principal ([email protected]) is invalid.
    --> Caused by: Principal cannot be found."
    --> }
    [timestamp] warning vpxd[06926] [Originator@6876 sub=SsoWrapper.SsoAdminFacade opID=########-##-auto-ih-h5:########-b] [FindAllParentGroups] Cannot get direct parent groups of group USERNAME vsphere.local. Exception N3Sso5Fault21InvalidPrincipalFault9ExceptionE(Fault cause: sso.fault.InvalidPrincipalFault
    :
    [timestamp] info vpxd[06926] [Originator@6876 sub=vpxLro opID=########-##-auto-ih-h5:########-b] [VpxLRO] -- FINISH lro-4663
    [timestamp] error vpxd[06926] [Originator@6876 sub=Default opID=########-##-auto-ih-h5:########-b] [VpxLRO] -- ERROR lro-4663 -- ########-####-####-####-############(########-####-####-####-############) -- AuthorizationManager -- vim.AuthorizationManager.setEntityPermissions: :vim.fault.NotFound
    --> Result:
    --> (vim.fault.NotFound) {
    -->    faultCause = (vmodl.MethodFault) null,
    -->    faultMessage = <unset>
    -->    msg = ""
    --> }
    --> Args:
    -->
    --> Arg entity:
    --> 'vim.Folder:######-####-####-####-############:group-##'
    --> Arg permission:
    --> (vim.AuthorizationManager.Permission) [
    -->    (vim.AuthorizationManager.Permission) {
    -->       entity = <unset>,
    -->       principal = "VSPHERE.LOCAL\NEW_USER_TEST_PERMISSION",
    -->       group = true,
    -->       roleId = 0,
    -->       propagate = true
    -->    }
    --> ]

 

Environment

VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x

Cause

The issue is caused by an invalid character/space at the beginning or end of the name while creating a custom role.
 
In reference to logs there is a space at the end of the role: "Name=Test-Role " leading to errors.

Resolution

Modify the name of the custom role by removing the invalid character/spaces and then assign the role for user or groups.

Powered by Wolken Software