Posted by: MikeLaverick
This is quite funny. vCenter 4.0 allows you to deny yourself your own rights. That’s right, as the administrator you can block or remove your own privileges to an object. Once you remove your own rights, the object then disappears from the inventory – which means of course you can’t select it again to add yourself back in! It’s not unlike the Microsoft experience, where in NTFS permissions you fail to include an administrator and receive the access denied message. At least with NTFS permissions – you can right-click the folder and add yourself back in. Not so with vCenter permissions.
Another interesting weirdness is when you are member of multiple groups – so if you add in group1 and group2, your member of both – one has read and the other has administrator – your effective permission would be the most restrictive one – read. This can show itself when you accidentally add in a built-in group to which the administrator account is also a member like – Remote Desktop Users or Domain Users. If you give one of these built-in groups a lower-privilege – you can find your own privileges diminished to such a degree that you will looking for another vCenter administrator account to give yourself rights.
I’ve seen this happen in my own lab environments – when I haven’t been engaging the brain – and dismissed it as an anomaly that would hardly ever happen. Until last week one of my students (in fact a couple of them) did precisely this (because the lab instructions told them too!) We ended up having to create a temporary local user account (who wasn’t a member of any of the built-in groups) and giving them access to the Local Administrators group on the vCenter box. Fortunately, local “Administrators” group in the Windows SAM was still listed as being an “Administrator” in vCenter. Not that would pass any audit in most corporates nowadays…