If a user is a member of more than one Active Directory group and one of these groups are configured with a read-only role on an object (for example, an ESX host), the read-only permission is applied to that object despite the presence of an administrators permission that has been propagated from a higher level.
If the read only permission is applied at the highest level, administrators may not have the access rights to remove this permission.
Note: This Resolution deals with SQL database operations so it is recommended for users familiar with database concepts and have adequate backups before proceeding. If you are unsure about performing these steps, file a support request with VMware Support and note this KB Article ID in the problem description. For more information on filing a support request, see How to Submit a Support Request.
To restore your vCenter Server database or modify the VPX_Access table in the database to remove the read only permission:
- Click Start > Run on the vCenter Server.
-
Type services.msc and click OK.
-
Right-click the VMware VirtualCenter Server service and select Stop.
-
Open SQL Server Management Studio.
- In the Server name field, enter the name of the SQL server where the vCenter Server database is hosted.
- Authenticate with a account that has database owner (dbo) permissions to the the vCenter Server database.
- Click Databases.
- Click the vCenter Server database.
Note: Refer to your ODBC System DSN configuration if you do not know what database you are using.
- Click Tables.
- Right-click the dbo.VPX_Access table and select Open table.
Note: In SQL 2008 Open table has been replaced with Edit Top 200 Rows
Note: dbo.VPX_Access may have been renamed if you are using a custom schema.
- Change the permissions for all instances of Users from -2 (read-only) to -1 (Administrator). This gives members of Users the rights of an Administrator in vCenter Server.
-
From the Service Control Manager, restart the VirtualCenter Server service.
-
Log in to vCenter Server with VMware vSphere Client and remove permissions involving Users.
Note: To assign read-only permissions, create a new security group and add the relevant users to it. This new group can then be used to assign permissions in vCenter Server.
Note: In the vpx_access table, the FLAG column value defines propagation as follows:
0 - when you have assigned a role to a USER on an entity, without choosing Propagate to Child Objects
1 - when you have assigned a role to a USER on an entity, choosing Propagate to Child Objects
2 - when you have assigned a role to a GROUP on an entity, without choosing Propagate to Child Objects
3 - when you have assigned a role to a GROUP on an entity, choosing Propagate to Child Objects
For Oracle, you can perform the following steps:
-
Log in to oracle database using SQL plus with the vCenter database user:
Note: As best practice its recommended to have the vCenter service shutdown before making changes and ensure there is an up to date and full backup of the vCenter Server database.
-
Run following command in SQL Plus
select * from vpx_access
-
Check to see what number the Role_ID is ( -1 is administrator role, -2 is read-only).
-
To modify the privilege, run following command:
update vpx_access (ID, PRINCIPAL, ROLE_ID, ENTITY_ID, FLAG) values ('32', 'Administrator', '-1', '1', '1') where Principal = Administrator;
-
To add a user run this command.
insert into vpx_access (ID, PRINCIPAL, ROLE_ID, ENTITY_ID, FLAG) values ('100', 'ACME\JSMITH', '-1', '1', '1');
-
To commit the changes run the following command.
commit;
-
Restart VirtualCenter server service
-
Log in to vCenter Server again.