• Creating or editing a site pair fails with the following error:

• When attempting to log in to HCX Cloud with that user, the login fails with the following error:  Access denied for the requested URI : /hybridity/api/sessions
• The following error appears in common/logs/admin/web.log:

2025-08-28 04:57:57.792 UTC [https-jsse-nio-8443-exec-5, , , TxId: ] INFO  c.v.i.token.impl.SamlTokenImpl- SAML token for SubjectNameId [value=<user-name>@####.local, format=http://####.####.####] successfully parsed from XML
...
...
2025-08-28 04:57:58.217 UTC [https-jsse-nio-8443-exec-5, , , TxId: ] ERROR c.v.vchs.hybridity.api.LoginUtil- Could not assign NSP role based on logged in users VCenter user group memberships. Logged in user is member of following VCenter groups :
vsphere.local\Everyone
Role mapping configuration is:
[
    {
        "role": "System Administrator",
        "userGroups": [
            "vsphere.local\\Administrators",
        ]
    },
    {
        "role": "Enterprise Administrator",
        "userGroups": [
            "vsphere.local\\Administrators",
        ]
    }
]
2025-08-28 04:57:58.218 UTC [https-jsse-nio-8443-exec-5, , , TxId: ] ERROR c.v.v.h.a.AccessTokenRestController- Could not assign NSP role based on logged in VCenter user group memberships ["vsphere.local\\Everyone"].
org.springframework.security.access.AccessDeniedException: Could not assign NSP role based on logged in VCenter user group memberships ["vsphere.local\\Everyone"].
        at com.vmware.vchs.hybridity.api.LoginUtil.fetchNspRolesForUserGroups(LoginUtil.java:158)
        at com.vmware.vchs.hybridity.authentication.VSphereSamlTokenAuthenticator.validate(VSphereSamlTokenAuthenticator.java:97)
        at com.vmware.vchs.hybridity.api.AccessTokenRestController.performSsoVcAuth(AccessTokenRestController.java:544)
        at com.vmware.vchs.hybridity.api.AccessTokenRestController.getToken(AccessTokenRestController.java:345)
        at jdk.internal.reflect.GeneratedMethodAccessor551.invoke(Unknown Source)
        ...

• The user group to which the user belongs is not added in the "HCX Role Mapping" settings.

VMware HCX

The user's group does not have the required roles assigned to operate on HCX resources.

This is an expected behavior.

For user groups that include users (not limited to AD users) who will be operating HCX resources, such as creating site pairs, you must assign appropriate roles in the HCX Role Mapping settings.

See the following documentation: https://techdocs.broadcom.com/us/en/vmware-cis/hcx/vmware-hcx/4-11/vmware-hcx-user-guide-4-11/preparing-for-hcx-installations/user-account-and-role-requirements.html