Issue: Can't Delete Agent/Client Registration Entries in Aperture

Applies To

Venafi Trust Protection Platform 15.1, 15.2, 15.3


Deleting Agents is a new feature in Venafi Trust Protection Platform 15.1.  By logging into Aperture, navigating to the Agent List, you can drill into an agent details and choose to delete the Agent records from the Venafi Trust Protection Platform. 

Only Master Admins can delete agent records.


When logged in as an Active Directory or LDAP user who is a Master Admin permissions, they do not see the "Delete Agent" button.



There is a bug that existed in Venafi Trust Protection Platform 14.1 through 15.1 that when the Active Directory and LDAP Identity Wizards were used, the service account used for those connections were not given "Access Control" permissions for the Client Subsystem, which has it's own permissions system.  Because of this, the Master Admins for Active Directory and LDAP identities could not perform "delete" operations for agents when the feature was introduced in 15.1 because they did not have "delete" permissions for the client subsystem.


The permissions issue with the Active Directory and LDAP Wizard was fixed in 15.2.  To repair the permissions of Master Admin Accounts, perform the following steps

  1. Make sure your Venafi Trust Protection Platform is on 15.2 or higher
  2. Log in to the Windows Administrator Console as a Local Master Administrator
  3. Go to the Identity Tree and select your Active Directory or LDAP Identity Provider
  4. Click on the Wizard button to re-launch the wizard for that provider
  5. Click through the wizard, do NOT make any changes to the settings of the identity in the wizard.
  6. Complete the wizard.  This repairs the permissions for the Account used for this Active Directory or LDAP Identity Provider.
  7. Log into the Windows Administration Console or Web Administration Console using the Service Account that your LDAP or Active Directory Identity provider is using - this will be a Venafi Master Admin account.
  8. Navigate to the Identity Tree and search for other Active Directory or LDAP identity accounts that are Master Admins.
  9. Remove their Master Admin Permissions and click Save
  10. Give their Master Admin Permissions back and click Save.
  11. Have that user log into Aperture
  12. They should now be able to delete agents
  13. Repeat steps 7-10 for any Master Admin that needs to be able to be able to delete agents.


Was this article helpful?
0 out of 0 found this helpful