Minimum privileges required to successfully deploy or export an OVA/OVF template in vCenter Server.
search cancel

Minimum privileges required to successfully deploy or export an OVA/OVF template in vCenter Server.

book

Article ID: 409447

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

  • When attempting to "Deploy OVF Template" the user is unable to select the datacenter or an ESXi Host under the "Select a compute resource" stage.

  • It gives either of the below errors. 

  • The user trying to deploy the OVA/OVF isn't given an 'Administrator' role and cannot be given one because of the organizational restrictions. Therefore a 'custom' role has been created and assigned to allow the user to be able to provision OVA/OVF and nothing more.

Environment

VMware vCenter Server 7.x
VMware vCenter Server 8.x

Cause

The minimum privileges required to successfully deploy an OVA/OVF template are missing in the custom role.

The following errors (highlighted in bold) confirm the specific privilege which is missing in the custom role.

  • No accessible network found in the target environment - confirms the absence of "Assign network" privilege. 

  • Unable to process template - confirms the absence of all or any virtual machine privilege.

  • No datastore with allocate permission available - confirms the absence of a Datastore privilege.

Resolution

Follow the instructions below to add the specified privileges to the custom role required for a user to be able to successfully deploy an OVA/OVF.

1. Login to the vCenter Server as "Administrator".
2. Navigate to Home > Administration > Roles.
3. Select the custom role and click on 'Edit'.
4. Remove all the privileges by deselecting the boxes with the exception of below ones.

  • Datastore > Allocate space.
  • Network > Assign network.
  • Virtual machine > Edit Inventory > Create new.
  • Virtual machine > Configuration > Add new disk.
  • Virtual machine > Configuration > Advanced.
  • vApp > Import

5. Save the changes made to the custom role.
6. Now assign the newly created role to your domain/local user under "Permissions" on the vCenter Server object. Make sure the "propagate to children" checkbox is selected when adding the permission.
7. Logout and login as the user who has inherited the custom role. The user should be able to deploy an OVA/OVF template without issues.

Additional Information

NOTE:  The minimum required privilege to export an OVF is vApp -> Export.  See our documentation for more details:  Deploy and Export OVF and OVA Templates

Powered by Wolken Software