Users may encounter permission errors when attempting to perform operations in vCenter Server using a service account, despite the account having seemingly appropriate group memberships or roles assigned.

Environment:
- vSphere 7.x or newer
- vCenter Server
- Service account with assigned roles or group memberships

These issues typically occur when a service account lacks specific required privileges for certain operations, even if it has broader permissions or is part of administrator groups. However, pinpointing which permission is missing can be difficult when depending on documentation only, and without knowing where to look in logs.

1. Access the relevant log file:
   Option A: For live systems
   a. SSH into the vCenter Server Appliance.
   b. Navigate to the log directory:
       cd /var/log/vmware/applmgmt/
   c. Open the applmgmt-audit.log file: less applmgmt-audit.log

   Option B: For analyzing a support bundle
   a. Extract the vCenter support bundle.
   b. Locate the applmgmt-audit.log file within the extracted bundle.
       This will be in the vCenter Server subdirectory within the relative directory
       ./var/log/vmware/applmgmt
   c. Open the file using a text editor.

2. Analyze the applmgmt-audit.log file:
   a. Search for entries related to the service account experiencing issues.
   b. Look for lines containing "Authorization request" and "Authorization Result".
   c. Note the timestamps of these entries to correlate with reported issue times.

3. Identify relevant log entries:
   a. For each relevant entry, check if the authorization was successful or failed.
   b. Identify which specific privileges are being allowed or denied.
   c. Example log entry format:
      "[Timestamp]: INFO Authorization Result: User=[username], priv=[privilege], authorized=[True/False]"

4. Compile findings:
   a. Make a list of denied privileges from the log entries.
   b. Compare these with the privileges required for the intended operations.

5. Adjust account permissions:
   a. Log in to vSphere with an account that has permissions to modify roles.
   b. Navigate to Administration > Access Control > Roles.
   c. Edit the role assigned to the service account or create a new role if necessary.
   d. Add the missing privileges identified in step 5.
   e. Save the changes.

6. Verify and test:
   a. Attempt to perform the previously failed operation using the service account.
   b. If issues persist, repeat the log analysis process, either by accessing live logs or generating a new support bundle.