• Active Directory (AD) users are unable to perform certain operations in vCenter (e.g New Datastore Cluster, New Distributed Switch etc.)
  
  
  
  
• The issue is not seen while logged in with Single Sign-On administrator
  
  
• In an Enhanced Linked Mode configuration, one or more of the vCenters may not be visible in inventory when logged in with an AD user account.
  
  
• Reviewing the (/var/log/vmware/vpxd/vpxd.log) confirms that the affected user(s) is/are part of multiple AD groups based on the SAML response from the identity provider during login:
  
  YYYY-MM-DDThh:mm:ss info vpxd[#######] [Originator@6876 sub=User opID=<op_id>] Login token: SamlToken [subject={Name: <USER_NAME>; Domain:<DOMAIN_NAME>}, groups=[{Name: <GROUP_NAME_1>; Domain:<DOMAIN_NAME>},{Name: <GROUP_NAME_2>; Domain:<DOMAIN_NAME>}.........type=Saml_HOK]
  
  
• Users may see 'Create VM' or 'Shutdown VM' options greyed out in the vSphere Client if conflicting permissions exist at the Cluster level.

• Explicit permissions defined at lower levels of the vSphere inventory hierarchy (e.g., the cluster level) override permissions inherited from higher levels (e.g., the datacenter level). In this scenario, one of the AD groups assigned directly at the cluster level has lesser privileges that supersedes the broader Administrator permissions inherited from the datacenter or vCenter level. This explicitly assigned role lacks the required VMware vSphere Lifecycle Manager > Lifecycle Manager: Image Remediation and Lifecycle Manager: Image privileges, blocking access to the Image section of Updates tab:

  

• vCenter 7.x
• vCenter 8.x
• vCenter 9.x

This issue occurs because explicit permissions defined at a lower level of the vSphere inventory hierarchy (such as a cluster) override inherited permissions from higher levels (such as a Datacenter or vCenter).

If a user is simultaneously a member of: A group assigned Administrator permissions at a vCenter server object but assigned as Read-Only/limited privilege at Datacenter object

vCenter will calculate effective permissions that reflect the most restrictive access level, particularly when inheritance or role precedence is ambiguous across object hierarchies.

1. Review the Active Directory group memberships for the affected user by engaging your Domain Admin to identify conflicting AD groups that have lesser privileges and are explicitly assigned at the cluster level within the vCenter Server permissions structure.

2. Identify conflicting groups that are assigned limited roles (e.g., Read-Only) within the vCenter hierarchy.

3. Remediate using one of the following options:

   • Remove the user from conflicting Read-Only groups.

   • Adjust permission assignments to ensure Modify level role takes precedence at the relevant object level.

4. Validate effective permissions by navigating to the object (e.g., ESXi host), selecting the Permissions tab, and checking the user’s resolved role.

Hierarchical Inheritance of Permissions in vSphere