• When using Powercli command Get-CisService to access vCenter Appliance Management APIs (eg. com.vmware.appliance.ntp)  with an account different from administrator@VSPHERE_SSO_DOMAIN, the following error is thrown:

A server error occurred: 'com.vmware.vapi.std.errors.unauthorized': Permission to perform this operation was denied. Server error id: 'com.vmware.vapi.authorization.permission.denied'). Check  | $Error[0].Exception.ServerError for more details

• vCenter Server 7.x

This is due to insufficient privileges to access vCenter Appliance Management APIs

Ensure that user accessing vCenter Appliance Management APIs is member of one of the following groups in the vCenter Single Sign-On Domain

• SystemConfiguration.BashShellAdministrators 

A user in this group has full access to all the Appliance Management APIs. By default, a user who connects to the vCenter Server with SSH can access only commands in the restricted shell, but users in this group have Bash Shell Access over SSH and gain full privileges similar to the root user.

• SystemConfiguration.Administrators

Members of the SystemConfiguration.Administrators group can view and manage the system configuration in the vCenter Server Management Interface running on port 5480. These users can view services, start and restart services, and troubleshoot services. These users can also access Appliance Management APIs except for those APIs that modify critical system configurations.

• SystemConfiguration.ReadOnly    

  Members of this group can access vCenter Server Appliance read-only operations under Appliance Management.

Groups in the vCenter Single Sign-On Domain

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-87DA2F34-DCC9-4DAB-8900-1BA35837D07E.html