Users may attempt to create a custom role in vCenter with only permissions management capabilities (modify permissions, privileges, roles) but encounter "Permission to perform this operation was denied" errors when the account attempts to modify permissions.

- vCenter Server
- Custom role with permissions:
  - Modify Permission
  - Modify Privilege
  - Modify Role
  - Reassign Role Permissions

This limitation is by design. For security purposes, accounts that manage permissions must possess all permissions they intend to assign or modify for other accounts. This prevents privilege escalation exploits where limited accounts could grant higher permissions than they possess.

1. Use an administrator account to manage permissions
2. If a dedicated permissions management account is required, it must be granted all permissions that it needs to manage for other accounts

• There is no workaround for creating a limited-permission account that can only modify permissions
• This security measure helps prevent unauthorized privilege escalation
• Consider implementing change control processes and audit logging if multiple administrators need to manage permissions