Search with IP address/VM name getting failed on DFW window of NSX-T Global Manager for VIDM/AD integrated users
search cancel

Search with IP address/VM name getting failed on DFW window of NSX-T Global Manager for VIDM/AD integrated users

book

Article ID: 371928

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

  • VMware NSX 4.1.x is being used.
  • User account for which this is being seen is either a VIDM integrated user or AD integrated user. The user is having necessary role & permission to perform this search operation.
  • The same search which is failing from Global Manager DFW window using VIDM/AD integrated user is working properly if logged in via 'admin' user.
  • On failure condition similar logs like below observed on /var/log/gmanager/gmanager.log on Global Manager

Search attempt log using a Domain user:

2024-06-05T02:49:42.711Z INFO http-nio-127.0.0.1-64440-exec-80 RuleQueryBuilder 3977669 - [nsx@6876 comp="global-manager" level="INFO" reqId="6fa1569c-b7e0-490f-b911-2d7ad0cd630f" subcomp="global-manager" username="<[email protected]>"] updateRuleQueryForGroupingObjects groupingObjFilter FirewallFilterDto{filterColumn='SOURCE', filterValue='[10.0.0.0]', filterObjectType='IP', caseSensitive='false'} and firewallType Optional[SecurityPolicy]


Search operation failed:

2024-06-05T02:49:42.716Z ERROR RuleQueryBuilder-46-1 UserInfoUtil 3977669 SYSTEM [nsx@6876 comp="global-manager" errorCode="MP401" level="ERROR" subcomp="global-manager"] User <[email protected]> with groups [] and incoming roles null is not authorized to access API with rbac_feature policy_grouping having required_permission read.

  • All other operations on Global Manager using the same domain user is working fine.

Environment

VMware NSX 4.1.x

Cause

Permission evaluation fails during IP address/VM name search operations on Global Manager.

Resolution

Currently there is no resolution of this issue. Fix for this issue will be present on a future NSX release.

 

Workaround

Users can utilize the site-switcher from Global Manager UI to navigate to the individual Local Managers and search on the DFW page of the Local Manager directly. Alternatively, local user "admin" on Global Manager can be used to perform this search operation successfully.