vSphere Client options are disabled for users with full administrative rights to vCenter Server
search cancel

vSphere Client options are disabled for users with full administrative rights to vCenter Server

book

Article ID: 344551

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Options in vSphere Client (such as powering off an ESX host are) are disabled (greyed out).
  • This issue occurs even if you are logged in with full administrative rights.


Environment

VMware vCenter Server 5.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server 5.1.x
VMware vCenter Server 4.1.x
VMware vCenter Server 4.0.x
VMware VirtualCenter 2.5.x
VMware vCenter Server 5.0.x
VMware vCenter Server 7.0.x

Resolution

vSphere client connections to vCenter servers are authenticated through local or domain Windows accounts.

If you are logged in as a user that is member of the administrators group you have full access to the vCenter Server at every object level by default. If you are member of another group that was granted read only or restrictive rights to a particular object, the most restrictive permission applies on that object, overriding the administrator permission that may have been propagated from a higher level.

 

Permission scenarios:

 

  • Permissions granted at a lower object level take precedence regardless of whether the permission is assigned to a user or a group containing that user.
  • Group permissions assigned at the same level for a given user become a union of permissions
  • Permissions assigned directly to a user take precedence if the user is also part of a group which has been assigned permissions at that same level
  • A user can not be granted multiple permissions or roles directly at the same level. In this case the user's permissions or role will be changed.

 

 

To resolve this issue, isolate the restrictive group or user permission and remove it.

You may need to create a local test user account on the Windows server running the vCenter Server, remove this user from the Windows users group, grant this user the Administrator role within vCenter Server at the highest level, and set the permission to propagate. You can then log in with this test account using the vSphere Client to the vCenter Server and remove any conflicting permissions.

If you have inadvertently set the permissions so that the administrators login no longer has the rights to change permissions at the highest level, see Administrators become read-only in VirtualCenter after read-only users are added (1005680).


Additional Information