Error 'Add permission failed! - The object or item referred to could not be found' when assigning a Custom Role
search cancel

Error 'Add permission failed! - The object or item referred to could not be found' when assigning a Custom Role

book

Article ID: 336293

calendar_today

Updated On: 04-09-2025

Products

VMware vCenter Server

Issue/Introduction

  • When applying a custom role to a user or group within the Inventory, the assignment fails with “Add permission failed! - The object or item referred to could not be found”

 

  • When applying a custom role to a user or group under Global permission, the assignment fails with “Add permission failed! – Internal Error”



  • /var/log/vmware/vpxd-svcs/authz-event.log:

    YYYY-MM-DDTHH:MM:SS.225Z [tomcat-exec-123 [] INFO  AuthorizationService.AuditLog  opId=] Action performed by principal(name=VSPHERE.LOCAL\Administrator,isGroup=false):Update role Id=140#######,Name=Test-Role  ,Description= ,Tenant=Privileges=[Alarm.Acknowledge, Alarm.Create, Alarm.DisableActions, Alarm.ToggleEnableOnEntity, Alarm.Edit, Alarm.Delete, Alarm.SetStatus, Certificate.Manage, ExternalStatsProvider.Register, ExternalStatsProvider.Unregister, ExternalStatsProvider.Update, Folder.Create, Folder.Delete, Folder.Move, Folder.Rename]

  • /var/log/vmware/vpxd/vpxd.log:

    YYYY-MM-DDTHH:MM:SS.905Z info vpxd[06926] [Originator@6876 sub=UserDirectorySso opID=m8xxxxxx-xx-auto-ih-h5:xxxxxxxx-b] GetUserInfoInternal(vsphere.local\TEST-PERMISSION, true) res: VSPHERE.LOCAL\TEST-PERMISSION
    YYYY-MM-DDTHH:MM:SS.949Z info vpxd[06926] [Originator@6876 sub=vmomi.soapStub[10] opID=m8xxxxxx-xx-auto-ih-h5:xxxxxxxx-b] SOAP request returned HTTP failure; <<cs p:00007fd850004a00, TCP:localhost:1080>, /sso-adminserver/sdk/vsphere.local>, method: findDirectParentGroups; code: 500(Internal Server Error); fault: (sso.fault.InvalidPrincipalFault) {
    -->    faultCause = (vmodl.MethodFault) null,
    -->    faultMessage = <unset>,
    -->    principal = "Everyone@vsphere.local"
    -->    msg = "Received SOAP response fault from [<<cs p:00007fd850004a00, TCP:localhost:1080>, /sso-adminserver/sdk/vsphere.local>]: findDirectParentGroups
    --> The specified principal (Everyone@vsphere.local) is invalid.
    --> Caused by: Principal cannot be found."
    --> }
    YYYY-MM-DDTHH:MM:SS.949Z warning vpxd[06926] [Originator@6876 sub=SsoWrapper.SsoAdminFacade opID=m8xxxxxx-xx-auto-ih-h5:xxxxxxxx-b] [FindAllParentGroups] Cannot get direct parent groups of group Everyone vsphere.local. Exception N3Sso5Fault21InvalidPrincipalFault9ExceptionE(Fault cause: sso.fault.InvalidPrincipalFault
    :
    YYYY-MM-DDTHH:MM:SS.952Z info vpxd[06926] [Originator@6876 sub=vpxLro opID=m8xxxxxx-xx-auto-ih-h5:xxxxxxxx-b] [VpxLRO] -- FINISH lro-4663
    YYYY-MM-DDTHH:MM:SS.952Z error vpxd[06926] [Originator@6876 sub=Default opID=m8xxxxxx-xx-auto-ih-h5:xxxxxxxx-b] [VpxLRO] -- ERROR lro-4663 -- 52xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx(52xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) -- AuthorizationManager -- vim.AuthorizationManager.setEntityPermissions: :vim.fault.NotFound
    --> Result:
    --> (vim.fault.NotFound) {
    -->    faultCause = (vmodl.MethodFault) null,
    -->    faultMessage = <unset>
    -->    msg = ""
    --> }
    --> Args:
    -->
    --> Arg entity:
    --> 'vim.Folder:f770e0f4-xxxx-xxxx-xxxx-xxxxxxxxxxxx:group-d1'
    --> Arg permission:
    --> (vim.AuthorizationManager.Permission) [
    -->    (vim.AuthorizationManager.Permission) {
    -->       entity = <unset>,
    -->       principal = "VSPHERE.LOCAL\TEST-PERMISSION",
    -->       group = true,
    -->       roleId = 0,
    -->       propagate = true
    -->    }
    --> ]

 

Environment

VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x

Cause

The issue is caused by an invalid character/space at the beginning or end of the name while creating a custom role.
 
In reference to logs there is a space at the end of the role: "Name=Test-Role " leading to errors.

Resolution

Modify the name of the custom role by removing the invalid character/spaces and then assign the role for user or groups.