Users may encounter an "Unable to authorize user" authorization error when attempting to modify firewall rules in vCenter using a custom scripting account via the REST API or PowerCLI. This issue can occur even when the account has been added to the Administrators group.

- VMware vSphere 7.0 and later
- PowerCLI or other API-based tools
- Custom service account with administrator group membership

This issue occurs because the service account lacks specific group membership and privileges required for modifying firewall rules via scripting in vSphere 7.0, even if it has broad administrator access. The account needs:

1. Membership in the SystemConfiguration.BashShellAdministrator group
2. Specific privileges: ViewConfiguration and ModifyLocalConf

To resolve this issue, follow these steps:

1. Add the service account to the SystemConfiguration.BashShellAdministrator group:
   1. Log in to the vSphere Client as an administrator.
   2. Navigate to Administration > Single Sign On > Users and Groups.
   3. Select the Groups tab and locate the SystemConfiguration.BashShellAdministrator group.
   4. Edit the group membership and add your service account.
      
      
2. Ensure the service account has administrator privileges:
   1. Navigate to Administration > Access Control > Roles.
   2. If not already assigned, create a new role with full administrative privileges or use the existing Administrator role.
   3. Assign this role to your service account:
      1. Go to Administration > Access Control > Global Permissions.
      2. Add your service account and assign the Administrator role.
      3. Ensure Propagate to children is selected.
         
         
3. Log out of the vSphere Client and log back in with your service account to refresh permissions.
4. Test the firewall rule modification using PowerCLI or your API tool.

• This solution is specific to vSphere 7.0. In vSphere 8.0, there is no need to separately add the account to the SystemConfiguration.BashShellAdministrator group
• For more information on vSphere permissions, refer to the VMware documentation on vSphere Security.
• If you continue to experience issues after following these steps, check the vCenter Server logs, particularly the applmgmt-audit.log, for any additional authorization errors.
• If issues persist after making these changes, review the account's other group memberships and ensure there are no conflicting permissions.
• For more information on vCenter Server roles and privileges, refer to vCenter Server System Roles.
• For more information specific to managing the firewall, see Edit the Firewall Settings