When importing an OIDC-based group from VCF SSO into VCF Operations, the group is successfully added to Access Control.  Users assigned to this custom group can access VCF Operations but cannot log into VCF Automation after the group is added to access control.

VCF Operations 9.x

VCF Automation 9.x

This behavior is a product limitation regarding how custom groups are handled. A group imported or created within VCF Operations is local to the VCF Operations instance. VCF SSO is unaware of the group structure defined within VCF Operations; therefore, downstream products like VCF Automation cannot resolve these memberships when querying the identity provider.

This is a known user experience limitation. To ensure users are correctly identified across the VCF stack, you must manage group memberships directly within the Identity Provider (vIDB/VCF SSO) rather than relying on the VCF Operations "Import Group" function for cross-product permissions.

1. Verify group membership exists at the Identity Provider (VCF SSO) level.  Example: Users are assigned to an Active Directory group that is imported into VCF Operations and VCF Automation.

2. Assign roles to the group within the specific product where access is required.