While upgrading vCenter to 5.1 in an environment where we used local authentication on the vCenter server, we were in for a little surprise.
The original vCenter server had a lot of custom roles and user permissions defind, on all kinds of objects in vCenter.
When we did the upgrade, we decided to install the SSO server on a separate server, and when we did the vCenter upgrade and it was registered with the SSO server, we suddenly received a message that users and groups where not found on the SSO server, which kind of made sense, since even though we recreated the users and groups on the SSO server, they had different security IDs. But what we did not expect, is the upgrade process decided to remove all non existing users and groups from the vCenter database, effectively removing all permissions from vCenter …
It would have been a lot more elegant if if would have kept the permissions and showed on an object the user or group object it refers to was gone, since now we had to reconfigure the complete permission structure. The custom roles did survive this upgrade.
So there are a couple of take aways from this:
- Start using AD when using SSO
- When using only local accounts and permissions in vCenter, install the SSO server on the vCenter server
- When not using AD and plan to install SSO on a separate server, document your complete permission structure.