When deploying VMs using my user community's permissions, I am unable to select cusomization specifications (see attached customization.jpg). The option is available when using admin privileges, so the required SysPrep and other files are in place.
I have checked the "read customizadtion" privilege is available.
That permission at the vm level is not enough. Since the customization spec is owned at the datacenter level, you will have to give that permission at the hosts&clusters or datacenters level. If you do not want to give permissions for your entire vc, create a new custom role that has access to customization as needed, and give your users that role at the hosts & clusters level.
That moves me on, thanks, but now I'm frustrated because I can't see which action is throwing a vmomi error in the client; without knowing what it was trying to do (among all the many minor subtleties when trying to perform any action in VI) it is hard to know what's causing the problem.
Let me ask a different question: we want to delegate rights to create and edit VMs and clone them form templates, to a group; we have numerous resource pools and folders; we don't want people to see what's in other resource pools and folders. This must be pretty common. Is there a document anywhere that says exactly what settings are needed for this to work without continually throwing errors?
We had it nailed in 2.0 but the upgrade to 2.5 and the bodges we had to make to get 2.5 to work before Update 1, seem to have conspired to render the previous set of permisisons fatally broken.
SysPrep files are in place, it works as Admin, that thread is about the annoying variants of SysPrep (ho yus, been there). Was that the thread you meant ot recommend? I can entirely believe it's been discussed before.
The permissions should be about the same as they were previously, although there are new permission in the roles. The best way to limit access is to provide access at the lowest level container of the objects you want to allow access to. Meaning, if you have resource pools separated, then give access at the pool, or create a child pool, and give access there.
That way, you can clone the administrator role, and remove access to what you don't want to allow, like create pool, and etc. Give access on those resource pools to your custom administrator role, and you should be good to go. Remember, your permissions can flow down, if you allow propagate, but they won't flow up. So, if you give rights to create a datacenter, but only at a resource pool level, then that role will still not be able to create a datacenter.
At the template folder
Virtual Machine > Provisioning > Customize
This right needs to be propagated
At the root (Hosts & Clusters / Virtual Machines & Templates) folder
Virtual Machine > Provisioning > Read Customization Specifications