The vRA environement was multi-tenant, having one additional tenant (Customer-1) next to the default tenant and to have the vROps Management Pack collect data from both tenants we need to have the same user account across both tenants. In my case an AD user account (service account) would be the account to manage this.
The AD account needs to have to correct vRA roles in each of the tenants:
- Infrastructure Administrator
- Tenant Administrator
- Fabric Group Administrator
- Software Architect role (vRA 7.0 and later)
Adding this account to the required roles is easy and went without any issue on the default tenant. When doing the same on the Customer-1 tenant adding the account (svc_vra in my screenshot) to the Infrastructure and Tenant Administrator roles I ran into an issue, to complete the action you need to click "Finish".
When I did this it returned an error message and failed to complete successfully:
Another user has already modified the data. Please reload the form and try again.
The only error that could be found in the vRA logging was the following:
it needs both the vRA domain user add across all tenants, one tentant with error:
com.vmware.vcac.authentication.service.sso.horizon.HorizonTenantManagement.updateUserAttributeDefinitions:265 - Updating user attribute definitions in the tenant 'Customer-1'...
2016-11-29 08:28:33,186 vcac: [component="cafe:identity" priority="ERROR" thread="tomcat-http--32" tenant="vsphere.local" context="7kprPPeo" parent="" token="7kprPPeo"] com.vmware.vcac.platform.rest.client.error.ResponseErrorHandler.handleRestError:113 - [Rest Error]: {Status code: 409}, {Error code: 7} , {Error Source: null}, {Error Msg: Duplicate user attribute definition "manager" for org.}, {System Msg: vidm.userattributedefinition.duplicate}
2016-11-29 08:28:33,189 vcac: [component="cafe:identity" priority="ERROR" thread="tomcat-http--32" tenant="vsphere.local" context="7kprPPeo" parent="" token="7kprPPeo"] com.vmware.vcac.platform.service.rest.resolver.ApplicationExceptionHandler.handleRestException:610 - [Rest Error]: {Status code: 409}, {Error code: 7} , {Error Source: null}, {Error Msg: Duplicate user attribute definition "manager" for org.}, {System Msg: vidm.userattributedefinition.duplicate}
Reffering to AD user attribute "manager" which is additionally added to the default user attributes:
The error message you see in the partial logging above refers to a duplicate user attribute "manager" screenshot, this user attribute is not a default user attribute but additionally added in each of the tenants. Now having this attribute in multiple tenants looks like the cause of my error.
To be sure I removed the user attribute "manager" from the user attribute in the Customer-1 tenant.
After the user attribute "manager" was removed I could without any issue add the account to the Infrastructure and Tenant Administrator roles.
Note: Don't forget to add the user attribute "manager" back to the user attribute configuration of the tenant.