Users with Administrator Role Unable to Manage SSO 'Users and Groups' Tab - "You have no privileges to view this object"
search cancel

Users with Administrator Role Unable to Manage SSO 'Users and Groups' Tab - "You have no privileges to view this object"

book

Article ID: 391733

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Administrators often encounter an issue in vCenter 8 where Single Sign-On (SSO) user accounts, even when assigned the "Administrator" role at the Global Permissions level, cannot view or manage the "Users and Groups" tab within the Single Sign-On (SSO) configuration domain (typically found under Administration -> Single Sign On -> Users and Groups).
  • Affected users receive a "You have no privileges to view this object" error when attempting to access this specific section, despite being able to perform other administrative tasks across vCenter Server.
  • This capability is usually only seen with the default [email protected] account, leading to confusion about the required permissions.
  • This can be seen in several places including Users and Groups and System Configuration.

Environment

VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x

Cause

The SSO group was missing in the Administrators group. While an SSO user or group might have the "Administrator" role assigned in vCenter's Global Permissions which grants them broad control over vCenter objects (VMs, hosts, clusters), this role does not inherently grant permissions to manage the SSO domain itself.

Resolution

The SSO user account or, more commonly, the SSO group to which the user belongs, must be explicitly added as a member of the built-in "Administrators" group within the relevant vCenter Single Sign-On domain (e.g., vsphere.local).

Perform the below steps:

  1. Log in to the vSphere Client using the [email protected] account or another account that is already a member of the SSO domain's "Administrators" group.
  2. Navigate to Menu > Administration.
  3. Under Single Sign On, click on Users and Groups.
  4. Select the Groups tab.
  5. Ensure the correct domain (e.g., vsphere.local) is selected.
  6. Find and select the Administrators group.
  7. Click Edit (or an equivalent option like "Add Members," depending on the UI version).
  8. Add the desired SSO user or SSO group (that already has the vCenter Administrator role) to this "Administrators" group.
  9. Save the changes.

Affected users will likely need to log out and log back into the vSphere Client for the new group membership and associated permissions to take effect.

Powered by Wolken Software