Identity providers not displaying: “you have no privileges to view this object” error when logged in as administrator@vsphere.local.
search cancel

Identity providers not displaying: “you have no privileges to view this object” error when logged in as [email protected].

book

Article ID: 379710

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

  • Identity providers not displaying - you don't have permission
  • In the Administration | Roles view, UI commands (new, clone, edit, delete) are greyed out.
  • On the GUI, the Administrator was showing under the Administrators group with the Administrator role assigned. However, the identity providers were not visible
  • Role provider options are also greyed out in the vSphere Web UI.

Environment

VMware vCenter Server 7.x
VMware vCenter Server 8.x

Cause

  • The Administrator account is assigned role -2, which denotes "read-only" access. Ideally, it should be assigned a role -1 for full administrative privileges.

Verification:

  • Export vCenter ldif file : /opt/likewise/bin/ldapsearch -b "dc=vsphere,dc=local" -s sub -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W > $(hostname)_"`date +"%d-%m-%Y"`".ldif
  • Less ldif file and search for value: cn=VSPHERE.LOCAL%5CAdministrator@false@urn%3Aacl%3Aglobal%3Apermissions
  • Under the above value look for "vmwAuthzPermissionRoleId" if the value is -2, it means" Read-only"
  • Role ID list :
  • A test user under the Administrators group was created and assigned the Administrator role. When logged in with the test user, the identity providers were visible.

Sample output:

The following was identified from the ldif file:
# VSPHERE.LOCAL%5CAdministrator@false@urn%3Aacl%3Aglobal%3Apermissions, AclModel, VmwAuthz, services, vsphere.local
dn: cn=VSPHERE.LOCAL%5CAdministrator@false@urn%3Aacl%3Aglobal%3Apermissions,cn=AclModel,cn=VmwAuthz,cn=services,dc=vsphere,dc=local
nTSecurityDescriptor:: AQAHhBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAAC5GvPtn3n64Am
 cRUiwtFjF9AEAAAEGAAAAAAAHFQAAALka8+2fefrgCZxFSLC0WMUgAgAAAgDAAAUAAAAAEygAMwAG
 IAEGAAAAAAAHFQAAALka8+2fefrgCZxFSLC0WMX0AQAAABMoADMABiABBgAAAAAABxUAAAC5GvPtn
 3n64AmcRUiwtFjFIAIAAAATKAAzAAYgAQYAAAAAAAcVAAAAuRrz7Z95+uAJnEVIsLRYxQACAAAAEy
 gAMwAGAAEGAAAAAAAHFQAAALka8+2fefrgCZxFSLC0WMUDAgAAABMYADAAAAABAgAAAAAAByAAAAC
 aAgAA
vmwAuthzPermissionRoleId: -2
vmwAuthzPermissionPropagate: TRUE
vmwAuthzPermissionVersion: 0
vmwAuthzPrincipalGroup: FALSE
vmwAuthzPrincipalName: VSPHERE.LOCAL\Administrator

Resolution

 

  • Take a snapshot of the vCenter VM
  • Log in to vCenter Server Appliance using SSH as the root user.
  • Type shell and press Enter.
  • Reset the SSO password for [email protected]
      • Run /usr/lib/vmware-vmdir/bin/vdcadmintool.

       
      • Press 3 to enter the Reset account password option.
      • When prompted for the Account UPN, enter:

        User@vSphere_Domain_Name.local (Example - [email protected])
      • A new password is generated.
  • Delete the global permission assigned to the Administrator account by executing the following command: /opt/likewise/bin/ldapdelete -r "cn=VSPHERE.LOCAL%5CAdministrator@false@urn%3Aacl%3Aglobal%3Apermissions,cn=AclModel,cn=VmwAuthz,cn=services,dc=vsphere,dc=local" -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w "New_SSO_Password"
  • Restart the VC services ( service-control --stop --all and then service-control --start --all)

 

Powered by Wolken Software