vCenter: privileg check failed for user (missing permission Sessions.TerminateSession

[quinh]

Hi,

first things first: great product, easy to use, little efffort, big outcome 👍

Privilege check failed for user VSPHERE.LOCAL\sexigraf for missing permission Sessions.TerminateSession. Session user performing the check: VSPHERE.LOCAL\sexigraf

We configured only view read-only permissions for user sexigraf.

The sessions object only have 4 permissions available

• Impersonate User
• Message
• Validate session
• View and Stop sessions

Any clue what's behind VMwares warning: Sessions.TerminateSession ?

[rschitz]

Hi and thank you for your support.
Read-Only Role is enough but where (on which object) did you applied this permission?

[quinh]

It's configured on the global permission.

We don't miss any data, just want to get rid off the vcenter event-warning.

[rschitz]

can you share a screenshot of the warning please?

[rschitz]

i'm sorry i didn't see you set view permission, please switch to read-only with propagate to children enabled

[quinh]

Sorry for the confusion, i did't know "view" existed. We're using Role "read-only" forever.

[rschitz]

it looks like we are not the only one suffering from this issue: https://forum.xorux.com/discussion/1098/vmware-permission-errors

[quinh]

can you share a screenshot of the warning please?

[quinh]

it looks like we are not the only one suffering from this issue: https://forum.xorux.com/discussion/1098/vmware-permission-errors

Mhm, we're going to upgrade our vcenters later in april. I will respond here, if this error is eleminated by the update or not if you like.

[rschitz]

i'm discovering that i've already commented the code with this issue but impossible to remember why...
https://github.com/sexibytes/sexigraf/blob/develop/opt/sexigraf/ViPullStatistics.ps1#L275
i'll dig into it, fell free to update this issue whenever you like of course and again thank you for your help and feedback.

[quinh]

Out of curiosity we've cloned the read-only role and added the permission: view and stop sessions

And to no surprise, the warning does not appear again.

[rschitz]

Great, thanks. Actually this is for session listing so i'll add a permission check as a condition for that part

[quinh]

Ah, no it's getting clearer. Look at the VMware vCenter active sessions dashboard. The timespan when we changed the role to have the "view and stop sessions" permission delivered actual data. Afterwards we switched back to "read-only" and it stopped again.

[rschitz]

yes the permission has been changed a long time ago

[rschitz]

@quinh feel free to test the fixed code i just comited. i'll close this issue now that the problem is fixed, thank you very much for your support!

[quinh]

@rschitz - back from vacation and testing your fixes.

sexigraf logfile says:
[INFO] Sessions.TerminateSession privilege not detected, SessionManager skipped ...

but vCenter still says:
Privilege check failed for user VSPHERE.LOCAL\Sexygraf for missing permission Sessions.TerminateSession. Session user performing the check: VSPHERE.LOCAL\Sexygraf

[rschitz]

Please try this version, for some weird reasons, checking permissions triggers the alert so i worked around this by getting the privileges from the role of the user. After modifying the ps1 file, please terminate the sexigraf user session because i also noticed that connecting with a previous token after changing the permission could also trigger the alert.