Introduction

I have another interesting VMware Cloud Director (VCD) issue for everybody. On one of our VCD 10.1.x environments we were having issues editing and/or cloning roles outside of the default “System Administrator” role. The issue manifested itself and was reproducable by doing the following:

  1. Open up the VCD interface and go to Administration -> Provider Access Controls -> Roles and try and clone a custom made role.
  2. Once you press clone we received the following UI error message:
Error: The following required implied rights are missing: Truststore: Manage, Truststore: View
Edit role error message in the VCD UI 10.1.x
Edit role error message in the VCD UI 10.1.x
  1. As you can see we receive the error message, and the cloned Role has no rights assigned to it. Which is not the normal behaviour.
  2. If we try to edit an existing Role and change nothing, we also get the same error message and the Role again has no rights assigned to it.

At first I didn’t really understand the issue here. I was logged in as a System Administrator that has full permissions on the VCD instance. Just to be sure I logged in as a VDC administrator user, with the local administrator user that VCD has. Even then it did not work and we received the same error message. After a little search I found out that the implied rights called “Truststore: Manage” and “Truststore: View” came to VCD within version 10.2.1. Weirdly, we are running 10.1.1. Once I knew this I browsed through my rights window from the role and noticed the following:

Missing rights inside a role in the VCD UI
Missing rights inside a role in the VCD UI

As you can see in the above image these two rights are not selected in the role I was editing/cloning. If you hover over one of the two rights you will see that the right is “implied by: Manage the LDAP settings”. Like the image below shows:

Right implied by another right inside the role
Right implied by another right inside the role

The fix

Now I am unsure why we even have this right inside our permission tree within VCD on version 10.1.1 since VMware states that these two rights were added in VCD 10.2.1. The VCD 10.1.1 documentation doesn’t state these rights at all. But this issue can be fixed quite easy.

Open up the bugged Role within VCD and do the following:

  1. Go to Access Control -> Organization and uncheck the right called “Manage the LDAP Settings”.
  2. Check the right again, so that it is enabled again.
Uncheck this right inside the role to enable the Truststore rights
Uncheck this right inside the role to enable the Truststore rights
  1. Once this is done, go over to the Truststore rights again under Administration -> General and you will see that the Manage Truststore and the View Truststore right is now checked.
  2. Save the role and you are done.

Another interesting thing, I have another VCD environent which actually is on version 10.2.1. In this version however these two rights are also not available but they are actually called “Manage Trusted Certificates” and “View Trusted Certificates”. They are there because of the Trusted Certificates section which is available through the API only (on the endpoint: /cloudapi/1.0.0/ssl/trustedCertificates) on version 10.1.x and also through the VCD UI in version 10.2.1. The Trusted Certificates store is the store in which all of the underlying infrastructure certificates from the connected vCenter Servers and NSX instances are placed. I will ask VMware to update the documentation to reflect this so that new everybody is aware of this.

There you have it, another day another blog. I hope this helped for you.


Bryan van Eeden

Bryan is an ambitious and seasoned IT professional with almost a decade of experience in designing, building and operating complex (virtual) IT environments. In his current role he tackles customers, complex issues and design questions on a daily basis. Bryan holds several certifications such as VCIX-DCV, VCAP-DCA, VCAP-DCD, V(T)SP and vSAN and vCloud Specialist badges.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *