Per vSphere service account requirements, Host.Inventory.EditCluster is required to be granted.

However, some customer environments do not allow this privilege to be enabled.

In which scenarios can customers skip granting this permission?

The permission is only strictly needed if the customer uses anti-affinity DRS rules (automatic or manual), VM Groups, or host group affinity.

If none of these features are configured, the permission is effectively unused. Customers who cannot grant it should ensure all three features are disabled.

What happens if a customer doesn't grant this permission?
It depends on which features they're using:

• If enable_auto_anti_affinity_drs_rules is false (the default), AND no drs_rule is in cloud_properties, AND no host_group is configured — the CPI won't attempt to call reconfigure_ex during VM creation, so the missing permission would not cause failures. However, the delete_vm path still inspects cluster groups and attempts to clean up empty VM Groups, so if there happen to be VM Groups containing the VM being deleted, that cleanup would fail. In practice, if those features were never enabled, no VM Groups would have been created by the CPI, so deletion would succeed.
• If any of those features are enabled — create_vm would fail with a VimSdk::Vim::Fault::NoPermission (or similar authorization error) when the CPI tries to call reconfigure_ex on the cluster. The VM clone may have already succeeded at that point, but the subsequent DRS rule / VM Group creation would raise an exception, and depending on timing, the CPI may attempt to delete the partially created VM as part of its error handling.