Search the VMware Knowledge Base (KB)
View by Article ID

Administrator access is downgraded to read-only in vCenter after read-only users are added (1005680)

  • 21 Ratings

Symptoms

After adding read-only users to vCenter Server:
  • Members of vCenter Server Administrators are restricted to read-only permissions.
  • You cannot perform administrative tasks.
  • When attempting to log in to vCenter Server using the thick client, you see the error:

    You do not have permission to login to the server

Resolution

If a user is a member of more than one Active Directory group and one of these groups are configured with a read-only role on an object (for example, an ESX host), the read-only permission is applied to that object despite the presence of an administrators permission that has been propagated from a higher level.
 
If the read only permission is applied at the highest level, administrators may not have the access rights to remove this permission.
 
Note: This Resolution deals with SQL database operations so it is recommended for users familiar with database concepts and have adequate backups before proceeding. If you are unsure about performing these steps, file a support request with VMware Support and note this KB Article ID in the problem description. For more information on filing a support request, see How to Submit a Support Request.
 
To restore your vCenter Server database or modify the VPX_Access table in the database to remove the read only permission:
  1. Click Start > Run on the vCenter Server.
  2. Type services.msc and click OK.
  3. Right-click the VMware VirtualCenter Server service and select Stop.
  4. Open SQL Server Management Studio.
  5. In the Server name field, enter the name of the SQL server where the vCenter Server database is hosted.
  6. Authenticate with a account that has database owner (dbo) permissions to the the vCenter Server database.
  7. Click Databases.
  8. Click the vCenter Server database.

    Note: Refer to your ODBC System DSN configuration if you do not know what database you are using.

  9. Click Tables.
  10. Right-click the dbo.VPX_Access table and select Open table.

    Note: In SQL 2008 Open table has been replaced with Edit Top 200 Rows
    Note: dbo.VPX_Access may have been renamed if you are using a custom schema.

  11. Change the permissions for all instances of Users from -2 (read-only) to -1 (Administrator). This gives members of Users the rights of an Administrator in vCenter Server.
  12. From the Service Control Manager, restart the VirtualCenter Server service.
  13. Log in to vCenter Server with VMware vSphere Client and remove permissions involving Users.
Note: To assign read-only permissions, create a new security group and add the relevant users to it. This new group can then be used to assign permissions in vCenter Server.
 
Note: In the vpx_access table, the FLAG column value defines propagation as follows:
0  - when you have assigned a role to a USER on an entity, without choosing Propagate to Child Objects
1  - when you have assigned a role to a USER on an entity, choosing Propagate to Child Objects
2 -  when you have assigned a role to a GROUP on an entity, without choosing Propagate to Child Objects
3  - when you have assigned a role to a GROUP on an entity, choosing Propagate to Child Objects 
 
For Oracle, you can perform the following steps:
  1. Log in to oracle database using SQL plus with the vCenter database user:

    Note: As best practice its recommended to have the vCenter service shutdown before making changes and ensure there is an up to date and full backup of the vCenter Server database.

  2. Run following command in SQL Plus

    select  * from vpx_access

  3. Check to see what number the Role_ID is ( -1 is administrator role, -2 is read-only).
  4. To modify the privilege, run following command:

    update vpx_access (ID, PRINCIPAL, ROLE_ID, ENTITY_ID, FLAG) values ('32', 'Administrator', '-1', '1', '1') where Principal =  Administrator;

  5. To add a user run this command. 

    insert into vpx_access (ID, PRINCIPAL, ROLE_ID, ENTITY_ID, FLAG) values ('100', 'ACME\JSMITH', '-1', '1', '1');

  6. To commit the changes run the following command.

    commit;

  7. Restart VirtualCenter server service
  8. Log in to vCenter Server again.

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

Tags

vcenter-permission

See Also

Update History

02/04/2013 - Added additional symptom

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 21 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 21 Ratings
Actions
KB: