To add the community is quite active and things can be overlooked - did you create a custom role or did you use one of the predeifined roles? If you created a custom role - try using the predefined admin role and see if you are able to create the VM?

And I apologize but thei has happened to me where I have not realized what credentials I had logged into vCenter with but are you using the correct AD credentials to access vCenter?

GovFT wrote:

vCenter permissions use a most restrictive model...

This is not a true statement.  I've addressed this in many other posts on this forum, and rather than rehash here, search the forum for "hicksj" and "permissions" for more details.

To the original poster:

Regarding permissions required to create a VM, where did you assign those permissions?  It sounds like you may have only granted permissions at a Host or Cluster.  You will need permissions at both the resource (Hosts & Clusters view) and a folder (VM & Templates view).

J Hicks wrote:

This is not a true statement.  I've addressed this in many other posts on this forum, and rather than rehash here, search the forum for "hicksj" and "permissions" for more details.

If I were to place "UserA" in a Domain Security group "vCenter Admins" and apply the security group with vCenter "Administrator" role at the top-most level in the hosts and clusters inventory view (the vCenter server hostname) and then I also directly place "UserA" with the vCenter "Read-only" role at the same object level, the effective permissions for "UserA" will be read-only all the way down the vCenter object structure--effectively a most restrictive permission model.

However, I would agree that if I were to directly assign "UserA" to an object lower in the tree with say the "Adminsitrator" role, "UserA" would in fact be an administrator on that particular object.

Yes.  That appears to be a special case, as others have experienced, regarding the Read-Only role at root. No idea why the effective permissons calculation differs at the root, or top most level... Though, that top most level _is_ special - as permissions there flow to all child views (VMs, Datastores, Hosts, Networks).

I have a test secenario setup with two groups (with the same member user) assigned the Admin and Read-Only roles on a Folder object. That user's effective permission is Admin. Same goes for custom roles with varying privileges - all privileges ticked in those roles are available to the user.  I expect you'll see the same, as you have with overriding inherited.

In my mind (for whatever that's worth), its best explained as "Proximity."  In other words, whatever inherited privilege assigned closest to the object will apply, with direct assignments overriding inherited.  The term "least privilege" can be misleading.

ns5445 wrote:

no replies...surprised..is it that tough!!!

no replies... to our replies?!?

:smileydevil:

I applied it to Host and Cluster view on a specefic folder which had hosts consolidated under it. But when I saw it didn't work as I couldn't create a VM on these hosts, I figured it might be conflicting with my Virtual machine power user privileges on one of the folder having 4 VMs under VMs and Template view. I was able to fix it after giving admin privileges on top level at host and cluster view and then locking down as read only to VMs under VM and Template View I dont need admin access for. This is a lab enviornment so I could break and fix things but in real time if Admin has to give users privilege on the highest level and then start locking down all over the place- Hosts and Cluster view, VMs and template view seperately, it will be mess.

Thanks for you response. I wasn't hoping the overwhelming response in last few hrs after posting it for more than 36 hours. Sorry I should have kept my expectations low.

Cheers!