Visitors

Unable to remove permissions in vCenter

One of my customers was getting a strange error when trying to remove permissions in vCenter:

The “Remove Permission” operation failed for the entity with following error message. The object or item referred to could not be found.

The Remove Permission operation failed for the entity with following error message. The object or item referred to could not be found

But the user was there! I asked him to add a new user and then remove it. He did that without an issue.

Then he showed me that he can add this user second time… Wait… Second time? What the hell???

So we had 2 entries:
MYLABDANIEL <– new one
and
MYLABdaniel <– old one

Hmm… And when I checked VPX_ACCESS table in vCenter database I had only one user there – the old one…

Here is script to check the table:

SELECT [ID],[PRINCIPAL],[ROLE_ID],[ENTITY_ID],[FLAG]
FROM [mgmtvcenter].[dbo].[VPX_ACCESS]
GO

Remove new user from vCenter – you should be still able to – and then check your user ID
In my case it was:

ID    PRINCIPAL       ROLE_ID  ENTITY_ID   FLAG
502   MYLABdaniel    -1       1           1

So… let’s remove that one… STOP!!! Backup the database first!

We can remove our guy:

DELETE FROM VPX_ACCESS WHERE ID = 502;

Restart vCenter service and that’s it!

(c) Zbigniew ‘Ziggy’ Misiak

4 comments to Unable to remove permissions in vCenter

  • Albert

    You’ve saved my day! Thank you!

  • Seb

    Really thank you, you just save my vcenter. I were not able to create VMs anymore on any ESX. Now, all work fine.

  • Aaron Meyer

    I had migrated to a new SSO domain (MS AD migration) that used the same domain alias. Because of the same alias I was unable to add the old SSO identity source back without impacting active users.

    What I found that worked: first I added the old SSO identity source back, but with a different alias, then at the same blue folder where the ‘stuck’ user permission was assigned, I added a NEW permission for that same user sourced from the old identity source. After applying the new permission nothing changed in the permissions view – it still showed the stuck account with the original domain alias\username – however I was then able to delete it.

    Hope this helps someone.

    VCSA 5.5 standalone with external Oracle DB

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>