We recently took over operational administration  of a big school in the Netherlands. The previous system administrators had fiddled around with permissions and roles a little too much, effectively removing all permissions for all users and groups for the root object in VMware vCenter.

Obviously, this resulted in a unmanageable environment, and actions had to be taken.

First off, I thank the previous system administrator for not messing up the SQL permissions: I could still access the database-instance using my credentials. Also, luckily, a group called ‘VMware Administrators’ still had some permissions in vCenter: this group had ‘Read Only’ permissions on an individual virtual machine. This made editted the database a bit easier, but it is in no way required.

By simply replacing two values in the vCenter database, I changed two settings:

  • Changing the permissions from ‘Read Only’ to ‘Administrator’ for the given group
  • Changing the object to which these permissions are applied from the virtual machine to the root object

So, how did I do this? Using the database administration tools, I did the following:

  • In the VPX_ACCESS table I changed ROLE_ID from ‘-2’ (‘Read Only’) to ‘-1’ (‘Administrator’) for the given PRINCIPAL (which contains the value ‘VMware Administrators’, the group I was looking for)
  • In the same table, I changed ENTITY_ID from the given value to ‘1’, which stands for ‘Datacenters’, otherwise known as the root object.

After a quick restart of the vCenter services, I was able to access the environment with proper permissions for the given group again, including all nested objects, indicating that inheritance was set up properly, too.