• In VMware Cloud Director(VCD) 10.5.x, unpublishing the Organization Administrator role from all or any tenants shows the following error: 
  
  Error: Unable to delete entity, as it is still in use
  
  
• In VCD 10.6, the same action shows the following error: 
  
  Error: This role is currently assigned to one or more users or groups in org(s): ###########1, ###########2. You must reassign them before unpublishing this role.
  
  
• The stacktrace from the browser logs has the following entries:
  VCD 10.5:
  {
    "minorErrorCode": "VCD_50034",
    "message": "Unable to delete entity, as it is still in use",
    "stackTrace": "com.vmware.vcloud.api.rest.toolkit.exceptions.BadRequestRestApiException: Unable to delete entity, as it is still in use\n\tat com.vmware.vcloud.api.rest.openapi.impl.rbac.GlobalRolesApiHandler.postGlobalRoleUnpublishAll(GlobalRolesApiHandler.java:395)\n\tat java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tat 
  
  VCD 10.6:
  {
    "minorErrorCode": "VCD_50249",
    "message": "This role is currently assigned to one or more users or groups in org(s): ###########1, ###########2. You must reassign them before unpublishing this role.",
    "stackTrace": "com.vmware.vcloud.api.rest.toolkit.exceptions.BadRequestRestApiException: This role is currently assigned to one or more users or groups in org(s): ###########1, ###########2. You must reassign them before unpublishing this role.\n\tat com.vmware.ssdc.backend.dao.rbac.impl.GlobalRolesPublishingDaoImpl.additionalUpdateSteps(GlobalRolesPublishingDaoImpl.java:75)\n\tat com.vmware.ssdc.backend.dao.rbac.impl.GlobalRolesPublishingDaoImpl.additionalUpdateSteps(GlobalRolesPublishingDaoImpl.java:51)\n\tat com.vmware.ssdc.backend.dao.rbac.impl.GlobalRolesPublishingDaoImpl.additionalUnpublishAllSteps(GlobalRolesPublishingDaoImpl.java:44)\n\tat com.vmware.ssdc.backend.dao.rbac.impl.RightsMappingPublishingDaoImpl.updateMappingForTenants(RightsMappingPublishingDaoImpl.java:176)\n\tat com.vmware.ssdc.backend.dao.rbac.impl.RightsMappingPublishingDaoImpl.unpublishMappingFromAllTenants(RightsMappingPublishingDaoImpl.java:128)\n\tat

VMware Cloud Director 10.5.x

VMware Cloud Director 10.6.x

As the error states, a role cannot be unpublished from tenants if there are users still assigned to that role.

To resolve the issue, the users that are still still assigned the role needs to be assigned a new role or deleted. 

The users with the role can be identified from the database:

1. Log in directly or by using an SSH client to one of the appliance console as root. Connect to the vcloud database with:
   
   sudo -u postgres psql vcloud
   
   
2. To verify the users with the role 'Organization Administrator'
   
   select role.role_id,org.name,orgmem.member_name as username,usr.username as name 
from role 
left join organization org on org.org_id=role.org_id
left join org_member orgmem on orgmem.app_role_id=role.role_id 
left join usr on usr.user_id=orgmem.member_id
where role.name='Organization Administrator' and org.name='<Organization Name>';
   
   
3. From the tenant portal, change the role of the user or delete the user.