A patch update was just released for vCenter Server 6.5, dubbed vSphere 6.5b. While glancing through the release notes, I caught one interesting "resolved issue" which I thought was worth sharing.
Users with no vCenter Server permissions can log in to the vSphere Web Client
Users without permissions can log in to the vSphere Web Client. Users can click the menu options, but no inventory is displayed.
Users with no permissions can no longer log in to the vSphere Web Client.
To enable the login, set the allow.user.without.permissions.login = true property in the webclient.properties file.
This particular behavior has been something that has confused a few customers and has been asked about since the introduction of vCenter Single Sign-On (SSO) service. The issue or rather the confusion is that prior to the SSO service, vCenter Server handled both authentication as well as authorization.
With SSO, authentication was no longer being handled by vCenter Server and this meant that even if you had no permissions in vCenter Server but you could authenticate to SSO (especially common when Active Directory is configured), you would still be allowed to login to the vSphere Web/H5 Client.
Although vCenter Server would does the right thing and does not display any inventory if you do not have any permissions, it was still not a desired behavior in addition to the confusion it caused. I was pleasantly surprised to see that we have changed this default behavior by disallowing logins to the vSphere Web/H5 Client if a user has no VC permissions. Below is the message you will receive if you try to login without VC permissions.
If you wish to revert to the original behavior, you can do so by simply adding the allow.user.without.permissions.login = true setting into the vSphere Web/H5 Client configuration file (webclient.properties) and restart the vSphere Web/H5 Client service. I think many of our customers will appreciate this fix as well as the new default behavior!
feffrey says
Glad they made that change. Less time fighting security over this.
Andrew GR says
Thank you for great post! ..was curious to test this "allow.user.without.permissions.login = false" on 6.0.0U3b but it didn't work... So looks like there is no way to achieve the same restriction on the VC 6.0 version? Or any ideas? Thank you!
Angry Customer, but who cares over at VMware says
How about his for a comment:
Brand new vCenter 6.5 deployment on windows with AD integration ID source, can't add permissions to any inventory object from our AD source, only allows adding permissions via global permissions. Wait, don't tell me, another web client issue??
William Lam says
This should not be the case. I would recommend you file an SR and GSS can help you out. You should be able to assign standard permissions using the regular method and/or Global Permissions
Stephen says
I am also struggling with this, Vsphere 6.0 I can add permissions users groups Licensing, Vsphere 6.5 you can add them but nothing works except the *protected email* account
How does this slip past QC?
Ramkulov says
Many thanks, that helped.
morcos Samuel says
can we do that in 6.0 ???
Oleg says
I have the same question!
Especially in last 6.0 Update3g ?
I tried “allow.user.without.permissions.login = false” on 6.0.0U3g but it didn’t work 🙁