VMware Cloud Community
MattGoddard
Enthusiast
Enthusiast

Permissions errors when deploying from a template

I've created a custom role in vCenter 7 with a limited permissions set for users who need to deploy VMs from various templates. However, while testing this, when I click 'FINISH' at the end of the deploy dialog, I immediately get this error:

"Permission to perform this operation was denied. NoPermission.message.format"

The privileges for the role are shown in the attached pic.

I applied this role to the relevant cluster, VM folder, datastore folder and dvSwitch that the users will be deploying to. Additionally, I granted the "Read customization specifications" and "Profile-driven storage view" privileges at the top level of vCenter.

Is there something I'm missing? As far as I can see, this ought to work.

Labels (2)
Reply
0 Kudos
3 Replies
Ardaneh
Enthusiast
Enthusiast

I've tried your permissions set in my lab and there was no error. I chose a single ESXi host and the deployment of VM from the template was successful, so please check if those users are not joined to another group with more restricted permission.

If you choose a resource pool or vApp to deploy your VM, please add "Move" permission to your account and try again.

I hope this could be helpful

Cheers

Reply
0 Kudos
MrCheesecake
Enthusiast
Enthusiast

I just ran into this and the issue was that the template VM resources were located in a cluster that my user(s) didn't have access to.  Although they had all the correct permissions in the TARGET folder/resources, they had no rights to the SOURCE, even though the template was in a folder they had access to.

The fix was to convert the template back to a VM, move the VM to storage/hosts/etc. that the users have access to, and then reconvert to a template.

Reply
0 Kudos
operando
Enthusiast
Enthusiast

Got the same error when deploying the VM with increasing disk size.

Solved after assigning "allocate space" permission on the source datastore with templates. It looks like a bug in the RBAC logic, because the change of the disk occurs on the target datastore with proper permissions after cloning.

Tags (2)
Reply
0 Kudos