Users report permission errors when attempting to enable log collection (events/tasks only) for vCenter 8 integration, even after deactivating ESX logs.

While the user account has Read-only permissions, customers may report seeing an SSL handshake error similar to the following:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

However, upon verifying the issue in the logs, the actual error corresponding to the failure is:

Privilege check failed for user <Domain>\<User> for missing permission Global.Setting. Session user performing the check...

• VCF Operations 9.0.x
• VMware vCenter Server 8

The service account configured for the integration possesses only the Read-only role in the vSphere Client. This role is insufficient for the Log Collection verification checks, resulting in the Global.Setting permission error. This permission failure can sometimes manifest as or be confused with connection/SSL errors during the configuration test.

Follow these steps to grant the required permissions to the service account:

1. Log in to the vSphere Client.
2. Navigate to Administration > Single Sign On > Users and Groups.
3. Locate the SystemConfiguration.Administrators group.
4. Add the service account used for the VCF Operations Log Collection configuration to this group.

• Ensure that any changes to service account permissions adhere to your organization's security policies regarding least privilege.