Error: "Permission to perform this operation was denied" during cross vCenter vMotion of VMs with Affinity Rules or HA/DRS Overrides
search cancel

Error: "Permission to perform this operation was denied" during cross vCenter vMotion of VMs with Affinity Rules or HA/DRS Overrides

book

Article ID: 429035

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Cross vCenter vMotion attempts from a local non-admin user result in a permission error. This failure occurs even when general migration privileges are present. The issue specifically affects Virtual Machines (VMs) configured with Affinity Rules, Anti-Affinity Rules, DRS override settings, HA override settings, or HA orchestration settings.

  • The following error is observed in the vSphere Client:

    Permission to perform this operation was denied. You do not hold privileges "cluster domain-(domain_id): [Host > Inventory > Modify cluster]" Cluster reconfigure permissions required for vMotion of VMs with affinity rules, anti affinity rules, DRS override settings, HA override settings or HA orchestration settings

Environment

VMware vCenter Server 8.x

Cause

The migration of a VM with cluster-specific settings requires the destination vCenter to update its cluster configuration to accommodate the incoming VM's metadata. This action triggers a "Modify cluster" task. If the user account performing the migration does not have the Host > Inventory > Modify cluster privilege at the destination cluster or datacenter level, vCenter Server denies the operation.

Resolution

Assign the necessary privileges to the user account on the destination vCenter Server. Follow the below steps:

  1. Log in to the vSphere Client as an Administrator.
  2. Navigate to Administration > Access Control > Roles.
  3. Select the Role assigned to the account performing the migration.
  4. Click Edit.
  5. Navigate to Host > Inventory and select the checkbox for Modify cluster.
  6. Click Save.
  7. Log out and log back in to refresh the session permissions.
  8. Retry the vMotion migration.

Workaround:

If the security role cannot be modified, remove the rules that trigger the cluster update:

  1. Select the VM and navigate to the Configure tab.
  2. Under Configuration, select VM Overrides.
  3. Remove any vSphere HA or DRS overrides for the VM.
  4. Under VM/Host Rules, remove the VM from any Affinity or Anti-Affinity rules.
  5. Perform the migration.
  6. Re-create the rules and overrides manually on the destination cluster.
Powered by Wolken Software