I'm saying, that if I login with the same (restricted) user as I tried above with the powercli into the H5/flash client it works.
The login worked also a few powercli versions before.
And I can create a VM in the ressource pool the user is assigned to.
After waiting a long time I got an answer back from vmware engineering:
" user needs ReadOnly permission on the VC level. This is required for other PowerCLI functionalities like Tagging,ContentLibrary etc."
In my opinion, this really makes no sense, because as I told them: it works with an older PCLI Version, with REST and the with the GUI.
And we would and could not give everyone Permission on VC Level.
I will keep this updated.
The login Issue is now fixed in 11.3.0.
The primary issue (create vm) is still not fixed.
Since many tests have been performed, when exactly is the New-VM not working?
Platform, account type, error message...
new-vm version 11.3.0
user is a restricted user
new-vm -name blah -ResourcePool mypool -Location myfolder
new-vm : 21.06.2019 10:04:47 New-VM
At line:1 char:1
+ new-vm -name blah -ResourcePool mypool -Location myfolder
+ CategoryInfo : NotSpecified: (:) [New-VM], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.NewVM
If I understand this correctly and taking into account your previous tests, you can now do less than before?
Before you were able to create a VM with that account on a Windows platform.
We are talking about PowerShell v5.1 I assume?
I can do less then with version 10 (new-vm), but more then with 11.2 (login)
powershell is: 5.1.17134.765
Create a VM with this user is still possible in the Web or with REST.
Then I would suggest to re-open your SR (if it was already closed), and pass this new info (11.3.0) along.
Since I can't reproduce the issue you are seeing, it's hard for me to diagnose the the cause of the issue.
The SR is still open, they provided me the workaround with setting RO permission on VC Level, but I hope the issue is fixed in a future release, because I could not give all users RO on toplevel.
Did you set the same restricted permissions to the user?
Our VC is 6.5, maybe that's the difference.
No, I'm on VC 6.7U1.
But I did test with the same privileges.
That's interesting, I tried now on a VC 6.7 too, and I get a exception too.
I just checked again, and my test account had the System.Read privilege on the rootfolder, through a group membership.
So no, without System.Read on the rootfolder, it doesn't work.
Thank you for re-checking, so I'm not completly wrong with this.
I will update if I get some news from the SR.
Finally I got an answer from VMware Engineering, they will fix this Issue in 11.5:
"[SR] Running new-vm cmdlet throws Core_BaseCmdlet_UnknownError after update to Powercli Version 11.1.0.
This happens because encryption feature has been added in 11.1. Now while preparing VmConfigSpec it tries to initialize CryptoManager which fails if user doesn't have appropriate permission to view CryptoManager. To fix this we will initialize CryptoManager on need basis."
Was it helpful? Let us know by completing this short survey here.