• When attempting to edit previously created security groups you are presented with the below errors or blocks to editing within the GUI.
  • When accessing the service group via a firewall rule source or destination selection page the edit option is greyed and unclickable with the hover message : "You do not have permission to perform some operations on this object".
  • When browsing to Inventory > Groups the group is viewable however there is a banner message on the group stating: "You do not have permission to edit below content".
• Issue may occur with any security group bound to firewall rules at time of upgrade.

VMware NSX 4.1.X

This occurs due to a change in the way security group permissions are checked and validated within this version. Previously existing security groups that are bound to firewall rules may become uneditable with the above symptoms. 

This issue is resolved in VMware NSX 4.2.1, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

Workaround

• Create a new group containing the old group criteria, only currently existing groups are impacted.
  
  
• Alternatively the group may be edited by API to push the same config by carrying out the following API calls:

1. 1. 1. GET /infra/domains/<domain-id>/groups/<group-id>

      2. Copy the body of the response from the above get into the body of the a request.
      3. PUT /infra/domains/<domain-id>/groups/<group-id>