Virtualization

Can’t remove permissions from vCenter Server VCSA 6

Recently, I came across a weird issue with permissions in vCenter.  A list of user permissions were displayed within vCenter server of users from a trusted domain that had permissions to the server.  However, we wanted to removed those permissions from vCenter.  The vCenter version in our case is VCSA 6 platform services controller. In a vSphere web client session, I could successfully click the “X” and remove the user or so the status notification said in web client, however, the user remained – no errors, or other messages noting any kind of failure of the process!

vsphereperm01

I had a thought to try the operation out in the vSphere C# client and actually did receive an error this time – yay!  It referred to not being able to connect to the “database” or network location.  This shed some light on the issue as at this point I had the feeling that vCenter was not able to connect to the identity source database or Active Directory in this case.

Resolution

The resolution to the issue in our case was to add the identity source back to the SSO configuration and then I was able at that point to remove both the user accounts that would not go away.  However, this brings up an interesting question of what happens if you no longer have access to the identity source domain and you have stale user accounts assigned permissions.

Also, simply restarting the SSO service did not resolve the issue as well as a reboot of the VCSA appliance itself.  It seems to need to be able to connect to the identity source to be able to remove permission accounts.

There may be a more low level way to delete these permissions and I am currently looking into this, however, have you guys ran into this issue before?

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

One Comment

  1. Yes, I’d similar ssue after upgrading VCSA to 6, Added AD as default and every thing worked fine that day but next day I couldn’t login without FQDN path. Also couldn’t delete some AD accounts and groups.
    Checked AD is still default.
    WEIRD BUG, I

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.