How to fix Privilege Issues in Data Services Manager (DSM) when operations fail with "InsufficientPrivileges"
search cancel

How to fix Privilege Issues in Data Services Manager (DSM) when operations fail with "InsufficientPrivileges"

book

Article ID: 442553

calendar_today

Updated On:

Products

VMware Data Services Manager

Issue/Introduction

DSM Service Accounts are used to interact and manipulate vCenter Objects for DSM.

If the required privileges are missing, the user will not be able to execute various operations which need those privileges.

Environment

VMware Data Services Manager

Cause

If the below privileges are not present the user will not be able to create support bundles successfully.

The following error will be shown:

Status Conditions: hli-pg-a-new-namespace [ { "lastTransitionTime": "2026-05-29T10:19:31Z", "message": "Logs collection was partially successful. No data plane logs were collected.", "observedGeneration": 1, "reason": "PartialSuccess", "status": "True", "type": "Ready" }, { "lastTransitionTime": "2026-05-29T10:19:31Z", "message": "", "reason": "Ready", "status": "True", "type": "ControlPlaneCollection" }, { "lastTransitionTime": "2026-05-29T10:19:31Z", "message": "cluster 'Cluster name': The DSM admin service account is missing the following GuestOperations privileges: VirtualMachine.GuestOperations.ModifyAliases, VirtualMachine.GuestOperations.QueryAliases, VirtualMachine.GuestOperations.Modify, VirtualMachine.GuestOperations.Execute, VirtualMachine.GuestOperations.Query.
Please ensure these privileges are granted to the service account.", "reason": "Ready", "status": "False", "type": "DataPlaneCollection" }
 

 

Additionally, `vcenterbinding` CR in Gateway will also contain the status showing "InsufficientPrivileges":

Resolution

For versions prior to 9.1.1 (not including version 9.1.1):

Manually add back the privileges via vSphere UI:

 

Click "Edit" and add the missing privileges:

 

For 9.1.1 version and higher (including 9.1.1):


DSM has implemented automatic fix if required privileges are missing. In this case, the user doesn't need to go to the vSphere UI to add the privileges manually.

Step 1
SSH to the Provider VM and execute the below command:

 

kg create secret generic vc-admin-secret --from-literal=username='[email protected]'  --from-literal=password='<your-admin-password>'
(use your own administrator's password above)

 

Step 2
Edit the vcenterbinding CR to associate this newly created admin secret. Normally visible is:

 

spec:
  vcenterAdminSecret: {}


now change it to:

spec:
  vcenterAdminSecret:
    name: vc-admin-secret


Step 3
Delete the created vc-admin-secret in Gateway. After another reconciliation, the missing privileges should be added back and the associated vCenter administrator secret in vcenterbinding CR should become empty again (for security reasons).

 

Powered by Wolken Software