Error: Cannot create 'HP Anyware Manager' Role Definition

Rate this Article

October 8, 2018

Last modified: 09/19/2023, 12:36 pm

Knowledge Base Article Troubleshooting Management HP Anyware

Problem

The following error can occur if you deploy HP Anyware Manager in subscription A for testing and then redeploy it in subscription B.

Cannot create 'Cloud Access Manager' Role Definition
New-AzureRmRoleDefinition : A role definition cannot be updated with a name that already exists.

Solution

This issue has to do with how the Role is being saved as an Azure Active Directory Object across your subscriptions. You can fix it by re-creating the Role in the correct subscription but in order to do this, you first need to remove the Role Assignments assigned to the ‘Cloud Access Manager’ Role. You can do this in one of two ways:

1. Delete the Service Principal(s) created for HP Anyware Manager (in which case your old HP Anyware Manager deployment will no longer work)
2. Reassign the Service Principal(s) created for HP Anyware Manager to a different role (in which case your HP Anyware Manager deployment will continue to work correctly if the role has the correct permissions).

Delete the service principal

You can do this in the Azure portal by going to Azure Active Directory -> App Registrations and then searching for “CAM-“ across “All Apps”. All service principals we create on your behalf for HP Anyware Manager have the “CAM-“ prefix. If you created a service principal account manually yourself for CAM, you’ll will need to find that service principal. To delete the service principal, click on it and then click the “Delete” button.

Removing the role

Run the following command in cloudhsell:

Get-AzureRmRoleDefinition -Name "Cloud Access Manager" | Remove-AzureRmRoleDefinition

If you get an error related to the assignments existing for that Role, it means that some Azure Resource or Resource Group currently has the Role assigned to it so you will need to find and delete or change that assignment to fix the issue.

You should be able to create a Role in your new subscription by either running the Deploy-CAM.ps1 or by going through the steps at http://www.teradici.com/web-help/pcoip_cloud_access_manager/current/cam_create_role/.

Reassign the service principal

Copying the existing role

A new role needs to be created and permissions updated. To create a new role called "Cloud Access Manager OLD", run the following commands in cloudshell to copy the existing role:

$camCustomRoleDefinition = Get-AzureRmRoleDefinition "Cloud Access Manager"
$camCustomRoleDefinition.Id = $null
$camCustomRoleDefinition.IsCustom = $true
$camCustomRoleDefinition.Name = "Cloud Access Manager OLD"
New-AzureRmRoleDefinition -Role $camCustomRoleDefinition

Updating the Role Assignment for the service principal

The service principal account role needs to be updated in the following places to "Cloud Access Manager OLD":

The Cloud Access Manager root resource group (where the CAM- keyvault and storage account are located)
The Cloud Access Manager Connector resource group (ends in -CN# or -CS#)
All Remote Workstation Resource group(s) (ends in -RW)
The vNet that the remote workstations were deployed to if the vNet does not exist in the above resource groups

To change the Role Assignment for the service principal:

In the Azure Portal go to “Resource Groups”, select the Cloud Access Manager Resource group, select “Access Control (IAM)”.
Search for the Cloud Access Manager service principal credential (search for the name “CAM-“).
Select the service, remove it then add it back with the desired Role (ie, “Cloud Access Manager OLD”).
Repeat this for all the locations listed above.

Removing the role

Run the following command in cloudhsell:

Get-AzureRmRoleDefinition -Name "Cloud Access Manager" | Remove-AzureRmRoleDefinition