PowerCLI `New-Snapshot` Command Fails Despite Folder-Level Permissions
search cancel

PowerCLI `New-Snapshot` Command Fails Despite Folder-Level Permissions

book

Article ID: 401375

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Users sometimes encounter failures when attempting to create snapshots of virtual machines (VMs) using the PowerCLI `New-Snapshot` command, even when appropriate permissions are configured at the parent folder level. This suggests that permission inheritance for child objects is not functioning as expected.

Environment

  • VMware vCenter Server 8.0.2 and earlier versions
  • VMware PowerCLI

Cause

This issue stems from the way the vSphere API handles permission requirements during paginated property retrieval operations:

Initial API Call (`RetrievePropertiesEx): This call only requires the View privilege.

Subsequent Paginated Calls (ContinueRetrieve and CancelRetrieve): These calls, however, require the Read privilege at the vCenter root folder (group-d1).

If the user or group lacks Read access at the vCenter root level, PowerCLI operations involving multiple pages of results (such as VM queries during snapshot operations) will fail with permission errors.

Resolution

This behavior has been resolved in vCenter Server 8.0.3.

Workaround for v8.0.2 and Earlier Versions:


For environments running v8.0.2 or earlier, assign ReadOnly permissions to the affected user or group at the vCenter root folder level.


Workaround Steps:

  1. Log in to the vSphere Web Client: `https://<vcenter-FQDN>/ui`
  2. Select the vCenter Server object at the top of the inventory.
  3. Navigate to the Permissions tab.
  4. Click the “+” (Add) icon.
  5. In the Add Permission dialog:
  6. Under User/Group, select either an individual user or a group.
  7. Under Role, choose ReadOnly.
  8. Uncheck the "Propagate to children" option.
  9. Click OK to apply the permission.
Powered by Wolken Software