Administrator access is downgraded to read-only in vCenter after read-only users are added
search cancel

Administrator access is downgraded to read-only in vCenter after read-only users are added

book

Article ID: 344194

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
After adding read-only users to vCenter Server:
  • Members of vCenter Server Administrators are restricted to read-only permissions.
  • You cannot perform administrative tasks.
  • When attempting to log in to vCenter Server using the thick client, you see the error:

    You do not have permission to login to the server


Environment

VMware vCenter Server 5.0.x
VMware vCenter Server 4.0.x
VMware vCenter Server 4.1.x
VMware vCenter Server 5.1.x
VMware vCenter Server 5.5.x
VMware VirtualCenter 2.5.x

Resolution

If a user is a member of more than one Active Directory group and one of these groups are configured with a read-only role on an object (for example, an ESX host), the read-only permission is applied to that object despite the presence of an administrators permission that has been propagated from a higher level.
If the read only permission is applied at the highest level, administrators may not have the access rights to remove this permission.
Note: This Resolution deals with SQL database operations so it is recommended for users familiar with database concepts and have adequate backups before proceeding. If you are unsure about performing these steps, file a support request with VMware Support and note this KB Article ID in the problem description. For more information on filing a support request, see How to Submit a Support Request.
To restore your vCenter Server database or modify the VPX_Access table in the database to remove the read only permission:
  1. Click Start > Run on the vCenter Server.
  2. Type services.msc and click OK.
  3. Right-click the VMware VirtualCenter Server service and select Stop.
  4. Open SQL Server Management Studio.
  5. In the Server name field, enter the name of the SQL server where the vCenter Server database is hosted.
  6. Authenticate with a account that has database owner (dbo) permissions to the the vCenter Server database.
  7. Click Databases.
  8. Click the vCenter Server database.

    Note: Refer to your ODBC System DSN configuration if you do not know what database you are using.

  9. Click Tables.
  10. Right-click the dbo.VPX_Access table and select Open table.

    Note: In SQL 2008 Open table has been replaced with Edit Top 200 Rows
    Note: dbo.VPX_Access may have been renamed if you are using a custom schema.

  11. Change the permissions for all instances of Users from -2 (read-only) to -1 (Administrator). This gives members of Users the rights of an Administrator in vCenter Server.
  12. From the Service Control Manager, restart the VirtualCenter Server service.
  13. Log in to vCenter Server with VMware vSphere Client and remove permissions involving Users.
Note: To assign read-only permissions, create a new security group and add the relevant users to it. This new group can then be used to assign permissions in vCenter Server.
Note: In the vpx_access table, the FLAG column value defines propagation as follows:
0 - when you have assigned a role to a USER on an entity, without choosing Propagate to Child Objects
1 - when you have assigned a role to a USER on an entity, choosing Propagate to Child Objects
2 - when you have assigned a role to a GROUP on an entity, without choosing Propagate to Child Objects
3 - when you have assigned a role to a GROUP on an entity, choosing Propagate to Child Objects
For Oracle, you can perform the following steps:
  1. Log in to oracle database using SQL plus with the vCenter database user:

    Note: As best practice its recommended to have the vCenter service shutdown before making changes and ensure there is an up to date and full backup of the vCenter Server database.

  2. Run following command in SQL Plus

    select * from vpx_access

  3. Check to see what number the Role_ID is ( -1 is administrator role, -2 is read-only).
  4. To modify the privilege, run following command:

    update vpx_access (ID, PRINCIPAL, ROLE_ID, ENTITY_ID, FLAG) values ('32', 'Administrator', '-1', '1', '1') where Principal = Administrator;

  5. To add a user run this command.

    insert into vpx_access (ID, PRINCIPAL, ROLE_ID, ENTITY_ID, FLAG) values ('100', 'ACME\JSMITH', '-1', '1', '1');

  6. To commit the changes run the following command.

    commit;

  7. Restart VirtualCenter server service
  8. Log in to vCenter Server again.


Additional Information

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box
Diagnosing the vSphere/Virtual Infrastructure Client when it fails to connect to vCenter Server/VirtualCenter
読み取り専用ユーザーが追加されると管理者アクセス権限が vCenter で読み取り専用にダウングレードされる
添加只读用户后,vCenter 中的管理员访问权限降级为只读