After upgrading from ESXi host 8.0.x to 8.0 U3, the VCP check compliance/precheck APIs might fail due to the presence of certain disallowed internal users' permissions in the desired config document.
Configuration precheck/compliance will fail when users create a new draft with the below errors.
In the UI, the error may display:
Compliance check failed or skipped on '10.x.x.x'
/profile/esx/authorization/permissions/3/principal
Validation plugin error: Invalid value 'dcui'.
In the /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log:
Task Failed. Error: Error:
--> com.vmware.vapi.std.errors.error
--> Messages:
--> com.vmware.vcIntegrity.lifecycle.ConfigurationCheckComplianceTask.Failure<Compliance check failed or sk
ipped on '10.x.x.x'.>
-->
Task Failed. Error: Error:
--> com.vmware.vapi.std.errors.error
--> Messages:
--> com.vmware.vcIntegrity.lifecycle.DraftConfigurationPrecheckTask.Failure<Draft configuration Precheck ta
sk failed or skipped on '10.x.x.x'.>
-->
VMware vCenter Server 8.0 U3
In pre-8.0 U3 ESXi, certain internal users' permissions were considered user configurations. As a result, a desired document generated using such hosts would include these configurations. However, in ESXi 8.0 U3, these internal configurations are no longer treated as user configurations, and validation checks have been implemented to prevent them.
If the desired document had the below internal users' permissions, they would cause validation errors in ESXi 8.0 U3:
There is no resolution at this time.
As a workaround, perform one of the two options.
Option 1:
1: In the vCenter UI, select the Cluster.
2: Click on the Configure tab.
3: Click on Desired State > Configuration.
4: Click on Create draft.
5: Go to Draft and click Run Pre-check. Validation errors will be listed for all the internal users.
6: Remove the problem causing internal users' permissions from the draft config document.
a. Go to esx → authorization → permissions and click Edit.
b:Select all the internal users present in the draft configuration document from the above mentioned list. Click Delete and SAVE.
7: Go to Draft and click Run Pre-Check.
Pre-check should not return any errors related to internal users present under permissions settings.
8. Apply the changes made to the draft configuration document
9. Cluster should be compliant post apply.
Option 2:
Note: This will not import the internal users' permissions and will allow any new configuration to be applied.