HCX Connector fails to modify default role mappings in the on-premises environment. Specifically:

• Unable to change default HCX Administrator User Groups
• Attempts to modify from vsphere.local\Administrators to custom domain configurations fail
• System returns HTTP 500 error when attempting role mapping modifications
• Error appears when accessing the role mapping API endpoint

• VMware HCX Connector (on-premises deployment)
• vSphere SSO configuration of default HCX Administrator User Groups

The primary cause of role mapping modification failures is insufficient permissions

1. vCenter registration account lacks required privileges
2. Account not configured as member of vSphere SSO Administrators group
3. Default permissions preventing role mapping modifications
4. Server-side authorization failures (indicated by HTTP 500 response) or provider mismatch (misaligned PSC and vCenter)
5. Misalignment between SSO configuration and HCX permissions

Primary Solution Steps

• Verify vCenter registration account permissions
• Add account to vSphere SSO Administrators group
• Validate account has full administrative privileges
• Retry role mapping modification after permission update

Verification Process

• Confirm account membership in SSO Administrators group
• Test role mapping modification
• Verify successful change from default vsphere.local\Administrators
• Ensure new domain administrators group is properly recognized

Best Practices for Role Mapping Configuration

• Always use accounts with appropriate SSO Administrator privileges
• Verify SSO configuration before attempting role mapping changes
• Maintain proper documentation of administrative accounts
• Follow principle of least privilege for non-administrative users
• Regular audit of role mappings and permissions

Note: Ensuring proper vSphere SSO Administrator group membership and alignment between vCenter and SSO provider settings is crucial for successful role mapping modifications in HCX Connector deployments.