Unable to Remove Permissions in vCenter 6.7
I just did a migration of a vCenter 6.0 on a Windows Server to a vCenter Appliance 6.7 Update 1.
But after the migration/upgrade the customer needed to remove som permissions from the vCenter, but it failed.
The permission with the problem used this syntax: child.domain.local\username
When changing the user: child.domain.local\username role to “No access” i just added a new permission line with the user child\username and role “No access”, and the new permission can be removed without no problem.
So the problem is the permissions that is using the syntax: child.domain.local\<xxxxx> can not be removed and the one with the syntax: child\<xxxxx> can be removed. Note that both syntax’s work for login and permissions.
The solution
We have to fix this in the vCenter database.
This fix might not be supported by VMware support, so only use at your own risk.
Shutdown the vCenter and take a snapshot.
Boot the vCenter.
After booting the vCenter connect to the vCSA appliance using SSH, or on the console.
Stop the vCenter server service
service-control --stop vmware-vpxd
Connect to the vPostgres database, get the content of the vpx_access table, update the vpx_access table and afterward get the changed content of the vpx_access table.
from the vCenter Server shell:
/opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres
SQl Script
select * from vpx_access; update vpx_access set principal = replace(principal,'child.domain.local','child'); select * from vpx_access; \q
Reboot the vcenter.
Check that it works.
FYI typo in line 5 “vpx_acess set principal” should be ” vpx_access set principal”
Thx, I have updated the blog.
Have a nice day. 🙂