Recently, I came across a weird issue with permissions in vCenter. A list of user permissions were displayed within vCenter server of users from a trusted domain that had permissions to the server. However, we wanted to removed those permissions from vCenter. The vCenter version in our case is VCSA 6 platform services controller. In a vSphere web client session, I could successfully click the “X” and remove the user or so the status notification said in web client, however, the user remained – no errors, or other messages noting any kind of failure of the process!
I had a thought to try the operation out in the vSphere C# client and actually did receive an error this time – yay! It referred to not being able to connect to the “database” or network location. This shed some light on the issue as at this point I had the feeling that vCenter was not able to connect to the identity source database or Active Directory in this case.
The resolution to the issue in our case was to add the identity source back to the SSO configuration and then I was able at that point to remove both the user accounts that would not go away. However, this brings up an interesting question of what happens if you no longer have access to the identity source domain and you have stale user accounts assigned permissions.
Also, simply restarting the SSO service did not resolve the issue as well as a reboot of the VCSA appliance itself. It seems to need to be able to connect to the identity source to be able to remove permission accounts.
There may be a more low level way to delete these permissions and I am currently looking into this, however, have you guys ran into this issue before?