Applies To
Venafi Trust Protection Platform 15.1, 15.2, 15.3
Background
Deleting Agents is a new feature in Venafi Trust Protection Platform 15.1. By logging into Aperture, navigating to the Agent List, you can drill into an agent details and choose to delete the Agent records from the Venafi Trust Protection Platform.
Only Master Admins can delete agent records.
Symptom
When logged in as an Active Directory or LDAP user who is a Master Admin permissions, they do not see the "Delete Agent" button.
Cause
There is a bug that existed in Venafi Trust Protection Platform 14.1 through 15.1 that when the Active Directory and LDAP Identity Wizards were used, the service account used for those connections were not given "Access Control" permissions for the Client Subsystem, which has it's own permissions system. Because of this, the Master Admins for Active Directory and LDAP identities could not perform "delete" operations for agents when the feature was introduced in 15.1 because they did not have "delete" permissions for the client subsystem.
Resolution
The permissions issue with the Active Directory and LDAP Wizard was fixed in 15.2. To repair the permissions of Master Admin Accounts, perform the following steps
- Make sure your Venafi Trust Protection Platform is on 15.2 or higher
- Log in to the Windows Administrator Console as a Local Master Administrator
- Go to the Identity Tree and select your Active Directory or LDAP Identity Provider
- Click on the Wizard button to re-launch the wizard for that provider
- Click through the wizard, do NOT make any changes to the settings of the identity in the wizard.
- Complete the wizard. This repairs the permissions for the Account used for this Active Directory or LDAP Identity Provider.
- Log into the Windows Administration Console or Web Administration Console using the Service Account that your LDAP or Active Directory Identity provider is using - this will be a Venafi Master Admin account.
- Navigate to the Identity Tree and search for other Active Directory or LDAP identity accounts that are Master Admins.
- Remove their Master Admin Permissions and click Save
- Give their Master Admin Permissions back and click Save.
- Have that user log into Aperture
- They should now be able to delete agents
- Repeat steps 7-10 for any Master Admin that needs to be able to be able to delete agents.
Comments