VLSR - Permission to perform this operation was denied
search cancel

VLSR - Permission to perform this operation was denied

book

Article ID: 376148

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

SRM UI displays this error, when you try to protect an unprotected VM -  

ERROR
Operation Failed
Permission-to perform this operation was denied.
You do not hold privilege "Resource > Recovery use" on resource pool "Resources"
Operation ID: 2db451be-243c-4105-bb11-7c75b09c3d09

vCenter displays this error in its tasks, as SRM fails to protect VMs automatically - 

com.vmware.vcDr.dr.replication.VmProtectionGroup.protectVms.label,,VM-name,[email protected],vcsa.broadcom.com,com.vmware.vcDr.dr.fault.NestedFault,6 ms,08/20/2024, 1:13:15 PM,08/20/2024, 1:13:16 PM,174 ms

1. You cannot protect new VMs in SRM when you are logged in using this AD username 

2. Logging in as [email protected] allows you to protect the VMs

3. Assigning SRM Administrator role to the AD user group the user is part of under the user & groups section of the vCenters at both the protected and recovery sites does not work  

VMware-dr.log:

2024-08-21T12:53:19.292Z info vmware-dr[01158] [SRM@6876 sub=DrTask opID=5193b2d0-66c6-4dc5-a467-5b5d6f8ea7ef-protectVms:9a9b] Task 'dr.replication.VmProtectionGroup.protectVms6' failed
--> (vim.fault.NoPermission) {
-->    faultCause = (vmodl.MethodFault) null,
-->    faultMessage = <unset>,
-->    object = 'vim.ResourcePool:211BA5E1-E251-414C-A68C-586B6F31B54F:resgroup-5489',
-->    privilegeId = "Resource.com.vmware.vcDr.RecoveryUse",
-->    missingPrivileges = <unset>
-->    msg = "Permission to perform this operation was denied."
--> }
--> [context]zKq7AVECAAQAAMX4YgEPdm13YXJlLWRyAADM6xtsaWJ2bWFjb3JlLnNvAIH30RMBbGlidmltLXR5cGVzLnNvAIGC3RMBAoOeA2xpYmRyLXZtb21pLnNvAAMyZgtsaWJkci1hdXRob3JpemF0aW9uLnNvAATMLQ5saWJjb25uZWN0aW9uLWRyLnNvAAQ9KA4E4tMPBb5rD2xpYmNvbm5
lY3Rpb24tYmFzZS5zbwAFgKQJAN5INQDiYTUAsItKBrCOAGxpYnB0aHJlYWQuc28uMAAH7/oPbGliYy5zby42AA==[/context]
2024-08-21T12:53:19.295Z verbose vmware-dr[01158] [SRM@6876 sub=PropertyProvider opID=5193b2d0-66c6-4dc5-a467-5b5d6f8ea7ef-protectVms:9a9b] RecordOp ASSIGN: info.error, dr.replication.VmProtectionGroup.protectVms26. Applied change to temp map.
2024-08-21T12:53:19.295Z info vmware-dr[01158] [SRM@6876 sub=DrTask opID=5193b2d0-66c6-4dc5-a467-5b5d6f8ea7ef-protectVms:9a9b] Work for task 'dr.replication.VmProtectionGroup.protectVms26' completed - new state 'error'
2024-08-21T12:53:19.295Z verbose vmware-dr[01158] [SRM@6876 sub=PropertyProvider opID=5193b2d0-66c6-4dc5-a467-5b5d6f8ea7ef-protectVms:9a9b] RecordOp ASSIGN: info.state, dr.replication.VmProtectionGroup.protectVms26. Applied change to temp map.
2024-08-21T12:53:19.295Z verbose vmware-dr[01158] [SRM@6876 sub=PropertyProvider opID=5193b2d0-66c6-4dc5-a467-5b5d6f8ea7ef-protectVms:9a9b] RecordOp ASSIGN: info.completeTime, dr.replication.VmProtectionGroup.protectVms26. Applied change to temp map.
2024-08-21T12:53:19.295Z verbose vmware-dr[01158] [SRM@6876 sub=PropertyCollector opID=5193b2d0-66c6-4dc5-a467-5b5d6f8ea7ef-protectVms:9a9b] NotifyChange called on ([N5Vmomi20PropertyCollectorInt10FilterImplE:0x00007f3088011dd8], 523af51d-7b46-46fc-6e9a-678a31e4965e) for MoID dr.replication.VmProtectionGroup.protectVms26 with destroyed = false
2024-08-21T12:53:19.295Z verbose vmware-dr[01158] [SRM@6876 sub=PropertyCollector opID=5193b2d0-66c6-4dc5-a467-5b5d6f8ea7ef-protectVms:9a9b] Added dr.replication.VmProtectionGroup.protectVms26 to FilterImpl::_triggered
2024-08-21T12:53:19.295Z verbose vmware-dr[01158] [SRM@6876 sub=PropertyProvider opID=5193b2d0-66c6-4dc5-a467-5b5d6f8ea7ef-protectVms:9a9b] RecordOp ASSIGN: info.progress, dr.replication.VmProtectionGroup.protectVms26. Applied change to temp map.
2024-08-21T12:53:19.295Z verbose vmware-dr[01158] [SRM@6876 sub=PropertyCollector opID=5193b2d0-66c6-4dc5-a467-5b5d6f8ea7ef-protectVms:9a9b] NotifyChange called on ([N5Vmomi20PropertyCollectorInt10FilterImplE:0x00007f3088011dd8], 523af51d-7b46-46fc-6e9a-678a31e4965e) for MoID dr.replication.VmProtectionGroup.protectVms26 with destroyed = false

2024-08-21T12:53:19.284Z error vmware-dr[01158] [SRM@6876 sub=Replication opID=5193b2d0-66c6-4dc5-a467-5b5d6f8ea7ef-protectVms:9a9b] Checking for privilege to use Resource pool or VM folder failed
--> (vim.fault.NoPermission) {
-->    faultCause = (vmodl.MethodFault) null,
-->    faultMessage = <unset>,
-->    object = 'vim.ResourcePool:211BA5E1-E251-414C-A68C-586B6F31B54F:resgroup-5489',
-->    privilegeId = "Resource.com.vmware.vcDr.RecoveryUse",
-->    missingPrivileges = <unset>
-->    msg = "Permission to perform this operation was denied."
--> }

Environment

VMware Live Site Recovery

Cause

Assigning or creating a custom role for AD users/groups with a lesser privilege on an object will restrict this user/group from performing tasks that they have administrator level permissions for when the permission has been assigned to a lower level object (Example - VM, host or cluster) in the vCenter inventory even though this user/group has administrator level privileges on higher objects (Example - Datacenter & vCenter)

Resolution

Login to SRM UI on one of the browsers as [email protected] or the SSO account created by the user. 

Login to SRM UI from another browser (you can use incognito mode) as the AD user you are having trouble with. 

From the SRM UI, where you have logged in as the AD user - check all the permissions assigned to VM, host, cluster, datacenter & vCenter objects to see whether you have assigned a role with lesser privileges to the AD user/group that is causing this error. If you find such a permission, remove it from the vCenter logged in as administrator. You must perform this check at both the protected and recovery sites. 

NOTE: The AD user that is part of Administrator/SRM Administrator role must not be included in custom roles having lower privileges. 

Now, when you check the vCenter logged in using AD username, SRM manual and automatic protection should work as expected. 

Additional Information

Powered by Wolken Software