AD authenticated user with Administrator privilege on vCenter is unable to view Cluster image on Lifecycle Manager > Updates due to conflicting privileges
search cancel

AD authenticated user with Administrator privilege on vCenter is unable to view Cluster image on Lifecycle Manager > Updates due to conflicting privileges

book

Article ID: 431483

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Active Directory (AD) authenticated users with Administrator privileges on vCenter Server are unable to see the Image section when navigating to Lifecycle Manager > Updates tab on one or more image-based clusters as shown below:



    On the other unaffected clusters, the Image section is accessible as shown below:



  • When navigating from the same Image section of Updates tab on an unaffected cluster to the affected cluster(s) to view the image, the following message is encountered in the vSphere Client:



  • Reviewing the /var/log/vmware/vpxd/vpxd.log confirms that the affected user(s) is/are part of multiple AD groups as seen from the SAML response from the identity provider during login:

YYYY-MM-DDThh:mm:ss info vpxd[11###47] [Originator@6876 sub=User opID=<op_id>] Login token: SamlToken [subject={Name: <USER_NAME>; Domain:<DOMAIN_NAME>}, groups=[{Name: <GROUP_NAME_1>; Domain:<DOMAIN_NAME>},{Name: <GROUP_NAME_2>; Domain:<DOMAIN_NAME>}.........type=Saml_HOK]

Environment

  • vCenter 8.x
  • vCenter 9.x

Cause

Since the affected user belongs to multiple Active Directory (AD) groups that are mapped to conflicting roles on the affected cluster(s).

Explicit permissions defined at lower levels of the vSphere inventory hierarchy (e.g., the cluster level) override permissions inherited from higher levels (e.g., the datacenter level). In this scenario, one of the AD groups assigned directly at the cluster level has lesser privileges that supersedes the broader Administrator permissions inherited from the datacenter or vCenter level. This explicitly assigned role lacks the required VMware vSphere Lifecycle Manager > Lifecycle Manager: Image Remediation and Lifecycle Manager: Image privileges, blocking access to the Image section of Updates tab:

Resolution

Review the Active Directory group memberships for the affected user by engaging your Domain Admin to identify conflicting AD groups that have lesser privileges and are explicitly assigned at the cluster level within the vCenter Server permissions structure.

To remediate and resolve the overlapping privileges, use one of the following recommended methods based on feasibility and applicability as per the domain account(s) configuration for the affected user(s):

  • Engage Active Directory Domain Administrator to remove the affected user from the conflicting AD group in Active Directory.

  • Modify the custom role assigned to the conflicting AD group by manually adding the VMware vSphere Lifecycle Manager > Lifecycle Manager: Image Remediation and Lifecycle Manager: Image privileges.

Additional Information

Some vCenter Operations Not Available for AD Users Despite Administrator Role

Powered by Wolken Software