I have recently upgraded 2 different VxRail clusters from 4.0.400 to 4.5.150. That process has gone well with 1 exception. At the beginning of the process it upgrades VxRail Manager code and logs you out. You then have to login again to view the rest of the upgrade process, but it no longer accepts my AD credentials. I've done several other upgrades of 4.0.x and didn't have this issue. I can only login to VxRail Manager as email@example.com. I can login to vCenter just fine using my AD credentials. My user is added to an AD group, and the AD group has the vCenter Administrator role. Has anyone else found this issue? Our vCenter is 6.5 Update 1e as required by the 4.5.150 upgrade package.
I also found that if I add my AD user to vCenter it works, but if I get access only via AD group membership then it will not work. This was not an issue when we were on 4.0.x.
Thank you very much for the reply but in this case the PSC/vCenter are external and were upgraded a couple weeks before VxRail. The login to VxRail manager only became a problem immediately after the VxRail Manager was upgraded from 4.0.400 to 4.5.150.
Recently I've had contact with Dell EMC and there are some changes in VXRAIL 4.5 and VXRAIL manager RBAC.
-Authorisation of VxRail manager.
In 4.5.150 release a feature is delivered that restricts login access to VXRAIL manager only to “global administrators” or users who have “HCIA management” roles. All others won’t be able to log into the VXRAIL manager and therefore perform any operations such as powering down the appliance.
Information from the release notes:
- Support for VxRail Manager role-based access control:
- Access is based on vCenter authentication
- Supports Administrator and HCIA Management roles
Maybe this will help explain.
Here is the response from my ticket with Dell EMC. Note 2ii, that if your AD group assigned in vCenter contains users that are in a different AD group those users will likely NOT be able to login to VxRail Manager. That's the case in my environment. So I could add my user by name directly in vCenter with 1 of those 2 vCenter roles, or add an AD group to vCenter from the same AD domain as my user with 1 of those 2 vCenter roles. Either option is not ideal for me but that might help others.
1. How to handle config user (aka. Non-admin user)
Solution - Add config user with “HCIA” role on datacenter level.
2. User belongs to group
i. User and Group in same domain
Solution - Assign group with “Admin” Role/”HCIA” Role and user will inherit the permission from the group.
Highly recommend assign group with “HCIA” Role on root folder and propagate it to datacenter level.
ii. User and Group in different domain
Solution – Add user with “Admin”/”HCIA” Role directly as VC API is weak at acquiring this relationship.