"Unable to retrieve the available storage policies" error during Supervisor Control Plane enablement due to user permissions
search cancel

"Unable to retrieve the available storage policies" error during Supervisor Control Plane enablement due to user permissions

book

Article ID: 438168

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

  • When attempting to configure Workload Management (vSphere with Tanzu) via the vSphere Client, the deployment wizard fails at the Storage selection step.

  • The UI displays a red warning banner: Unable to retrieve the available storage policies.

  • The drop-down menu for Control Plane Storage Policy is empty and cannot be populated.

  • The VMware vSphere Profile-Driven Storage Service (sps) is confirmed to be running and healthy within the vCenter Server Appliance Management Interface (VAMI).

  • The issue is isolated to specific users; other administrator accounts can view the policies and complete the Workload Management wizard without errors.

 

Cause

This issue occurs due to a role or permissions conflict within vCenter Single Sign-On (SSO) for the affected user account.

In vCenter Server, if a user account is assigned an administrative role but is simultaneously a member of a group (or holds an explicit permission) that has a restrictive role such as Read-Only or No Access, applied at the same or a higher object level, vCenter enforces the most restrictive permission.

This overlapping restriction silently blocks the vSphere Client UI from querying the Storage Policy Based Management (SPBM) APIs during the Workload Management wizard, resulting in the inability to retrieve the policies.

Resolution

Identify and remove the overlapping restrictive permissions for the affected user.

  1. Log in to the vSphere Client using an unaffected administrator account (such as [email protected]).

  2. Navigate to Administration > Single Sign-On > Users and Groups.

  3. Search for the affected user and check their group memberships.

  4. Navigate to Administration > Access Control > Global Permissions.

  5. Check if the affected user account, or any of the groups they are a member of, is assigned a Read-Only role.

  6. Select the vCenter Server object from the top of the inventory tree, go to the Permissions tab, and verify if a restrictive role is applied locally to the user or their group.

  7. Remove the user from the conflicting Read-Only group, or delete the explicit Read-Only permission rule.

  8. Have the affected user log out of the vSphere Client, clear their browser cache (or open an Incognito/Private window), log back in, and retry the Workload Management enablement wizard.

Powered by Wolken Software