• In vCenter Server 8.x environments, the vSphere Client Events tab may report a high volume of warning events. These warnings typically coincide with inventory discovery cycles initiated by third-party backup solutions or monitoring tools.

• The specific warning message recorded in the event logs is as follows:
  
  "Privilege check failed for user <Service_Account_Name> - missing permission Host.Config.Image. Session user performing the check."

• Despite the saturation of the Events tab, the primary operations of the backup or monitoring software (such as backup jobs or status reporting) generally continue to function without interruption.

• This behavior is a result of Enhanced Privilege Enforcement protocols introduced in vSphere 8.x.
• During standard inventory discovery, service accounts may attempt to query the ESXi Image Profile (associated with Lifecycle Manager status). vSphere 8.x enforces a strict validation check for the Host.Config.Image privilege during these specific API calls.
• If the custom role assigned to the service account lacks this specific granular privilege, the validation fails and generates a warning event. This occurs even if the calling application is programmed to ignore the failure and proceed with other tasks.

To resolve the privilege check failure and suppress the warning events, the Host.Config.Image privilege must be added to the custom role associated with the affected service account.

Procedure:

1. Log in to the vSphere Client using an account with Administrator privileges.

2. Navigate to the main menu and select Administration.

3. Under the Access Control section, select Roles.

4. Identify and select the specific role assigned to the service account generating the errors (e.g., "Backup Service Role") and click Edit.

5. In the privileges hierarchy, navigate to Host > Configuration.

6. Locate the setting for Image Configuration and enable the checkbox.

7. Click Save to apply the configuration changes.

Upon completion, the permission changes will propagate, and the "Privilege check failed" warnings will cease during the subsequent discovery cycle.

Broadcom Tech Docs : host-configuration-privileges