I've created a custom role in vCenter 6.7 for VM deployments. When I grant permissions based on that role to my test Active Directory account directly, it works. However, when I grant the perms to an AD group of which that same account is a member, it doesn't work. Some of the symptoms of it not working are:
- Cannot create/rename/delete folders (options are grayed out)
- Cannot deploy a VM (at the choose host/cluster stage, no hosts or clusters are visible, only the datacenter object)
Another odd symptom: this environment has two vCenters in linked mode. If I remove all VC permissions from the test AD account and ensure that it's only a member of the default AD "Domain Users" group, it can see no folders in one vCenter (which is the expected behavior) and all folders in the other one (which is not).
I'm presuming there's some kind of AD-related permissions conflict going on, but I have no idea how to troubleshoot this. Any suggestions?
