VMware vCenter Server

The issue is caused by a permission inheritance conflict within the vSphere inventory hierarchy. Specifically, an explicit Read-Only permission assigned at a lower level (such as the Datacenter) overrides higher-level Global Permissions.

In vSphere, permissions applied to a child object always take precedence over permissions propagated from a parent object or global permissions. If a user is a member of an AD group assigned a "Read-Only" role at the Datacenter level, that role which lacks the vSphere Tagging.Assign or Unassign vSphere Tag privilege strips the user's ability to assign tags for all objects within that Datacenter, regardless of their Global Permission settings.

To resolve this issue, the conflicting explicit permission must be removed or modified to include the necessary tagging privileges.

Step-by-Step Instructions:

1. Identify the Conflicting Permission:
• Log in to the vSphere Client as an Administrator.
• Select the Datacenter object in the inventory.
• Click the Permissions tab.
• Look for the specific Active Directory user or group (e.g., <AD GROUP NAME>) that is assigned the Read-only role.
2. Remove or Modify the Explicit Permission:
• Option A (Recommended): If the group does not require a specific restrictive role at the Datacenter level, select the user/group and click Remove. This allows the Global Permissions (which include tagging) to propagate down the hierarchy.
• Option B: If the explicit permission is required, change the assigned role from Read-only to a custom role that includes the following privilege:
• vSphere Tagging > Assign or Unassign vSphere Tag
3. Verify the Fix:
• Have the affected user log out and log back into the vSphere Client.
• Navigate to a Virtual Machine within that Datacenter.
• Verify the Assign tag button is now visible on the Summary tab.