VxRail: Upgrade Cannot Create Permission for Management User Account

Summary: Out of Family upgrades with an internal vCenter fail with error "Cannot create permission for management user ".

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

While performing an out of family upgrade on a cluster with an internal vCenter, the upgrade fails. This is after the vCenter migration from the old to the new version with error:

Cannot create permission for management user

Lcm-web.log: 

2023-07-24 07:20:53,135 INFO [LCM] [upgrade-task-0] c.v.c.c.e.VCEntityService [VCEntityService.java:365] Retrieved role list from VC.
2023-07-24 07:20:53,135 INFO [LCM] [upgrade-task-0] c.v.c.c.AccountService [AccountService.java:164] Adding privileges for VMware HCIA Management Global.Diagnostics,VirtualMachine.Inventory.Delete,Global.Settings,Global.ScriptAction,Folder.Create,Host.Config.Power,VirtualMachine.State.CreateSnapshot,DVSwitch.Modify,VirtualMachine.Inventory.Unregister,Resource.ColdMigrate,vxrail.View,Global.ManageCustomFields,Alarm.Create,Datastore.UpdateVirtualMachineFiles,VirtualMachin
e.Interact.SetCDMedia,VirtualMachine.Interact.PowerOff,Global.Licenses,Global.SetCustomField,VirtualMachine.Interact.AnswerQuestion,VirtualMachine.Config.RemoveDisk,Cryptographer.Migrate,Extension.Update,VirtualMachine.State.RemoveSnapsh
ot,System.View,VirtualMachine.Config.AddNewDisk,InventoryService.Tagging.ObjectAttachable,VApp.ApplicationConfig,Datastore.Browse,Host.Config.Maintenance,Datastore.AllocateSpace,Network.Assign,VApp.ExtractOvfEnvironment,VApp.Import,Virtu
alMachine.GuestOperations.ModifyAliases,DVSwitch.HostOp,Global.LogEvent,Extension.Unregister,VirtualMachine.GuestOperations.Modify,Resource.HotMigrate,Alarm.Edit,StorageProfile.Update,System.Anonymous,EAM.Modify,VirtualMachine.Interact.G
uestControl,Alarm.Delete,Host.Config.NetService,Cryptographer.Access,VirtualMachine.GuestOperations.Query,System.Read,Host.Inventory.AddStandaloneHost,EAM.Config,Datastore.FileManagement,Host.Config.SystemManagement,EAM.View,Folder.Delet
e,VirtualMachine.GuestOperations.Execute,Host.Config.Network,Host.Config.Storage,VirtualMachine.Interact.DeviceConnection,Host.Config.Settings,Folder.Rename,Host.Inventory.EditCluster,StorageProfile.View,Cryptographer.Decrypt,Extension.R
egister,VirtualMachine.Config.Settings,vxrail.Manage,DVSwitch.ResourceManagement,Host.Inventory.AddHostToCluster,Alarm.SetStatus,Authorization.ModifyPermissions,DVPortgroup.Modify,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.C
onsoleInteract,VirtualMachine.GuestOperations.QueryAliases,VirtualMachine.Config.AdvancedConfig,Datastore.DeleteFile,Host.Inventory.RemoveHostFromCluster..

2023-07-24 07:20:53,181 ERROR [LCM] [upgrade-task-0] c.v.l.c.u.v.t.ConfigureManagementPermissionTask [ConfigureManagementPermissionTask.java:85] Cannot create permission for management user administrator@vsphere.local.
com.sun.xml.ws.fault.ServerSOAPFaultException: Client received SOAP Fault from server: vim.fault.AlreadyExists Please see the server log to find more detail regarding exact cause of the failure.
        at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:163)



2023-07-24 07:20:53,183 ERROR [LCM] [lcm-vc-0] c.v.l.t.SimpleUpgradeTaskExecutor [SimpleUpgradeTaskExecutor.java:82] Failed to execute task configureManagementPermissionTask.
java.util.concurrent.ExecutionException: com.vce.lcm.exception.LCMException: Failed to configure management account permission.
        at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
        at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:205)
        at com.vce.lcm.task.SimpleUpgradeTaskExecutor.execute(SimpleUpgradeTask

Cause

VxRail Management account has another permission other than the 'VMware HCIA Management'. Even if it has 'Administrator' role, it fails.

Resolution

To resolve this issue, change the global permission for the management account to 'VMware HCIA Management' and retry again.

Alternatively, create a new user and assign it the 'VMware HCIA Management' role to it.
Below are Steps for how to change the role for the user:

  • On vCenter, go to Menu-> Administration > Users and Groups > filter by vsphere.local (or custom domain if customer uses one for their accounts) > click Add, and create the new user account.
  • Then in : Access Control->Global Permission
  • Locate the user and edit the role to be 'VMware HCIA Management' and choose the 'propagate to children' checkbox.
  • Retry the upgrade.

Affected Products

VxRail, CloudArray Virtual Edition for VxRail Appliance, VMWare Cloud on Dell EMC VxRail E560F, VMWare Cloud on Dell EMC VxRail E560N, VxRail 460 and 470 Nodes, VxRail Appliance Family, VxRail Appliance Series, VxRail G410, VxRail G Series Nodes , VxRail D Series Nodes, VxRail D560, VxRail D560F, VxRail E Series Nodes, VxRail E460, VxRail E560, VxRail E560 VCF, VxRail E560F, VxRail E560F VCF, VxRail E560N, VxRail E560N VCF, VxRail E660, VxRail E660F, VxRail E660N, VxRail E665, VxRail E665F, VxRail E665N, VxRail G560, VxRail G560 VCF, VxRail G560F, VxRail G560F VCF, VxRail Gen2 Hardware, VxRail P Series Nodes, VxRail P470, VxRail P570, VxRail P570 VCF, VxRail P570F, VxRail P570F VCF, VxRail P580N, VxRail P580N VCF, VxRail P670F, VxRail P670N, VxRail P675F, VxRail P675N, VxRail S Series Nodes, VxRail S470, VxRail S570, VxRail S570 VCF, VxRail S670, VxRail Software, VxRail V Series Nodes, VxRail V470, VxRail V570, VxRail V570 VCF, VxRail V570F, VxRail V570F VCF, VXRAIL V670F, VxRail VD-4000R, VxRail VD-4000W, VxRail VD-4000Z, VxRail VD-4510C, VxRail VD-4520C, VxRail VD Series Nodes ...
Article Properties
Article Number: 000216302
Article Type: Solution
Last Modified: 04 Dec 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.