VMware vSphere

I'm trying to create a new role (AD-ROLE) for the admin team that could do the following:

• upload ISO to Content Libarary
• create a new virtual machine and connect an ISO from Content Library
• convert virtual machine to template on Content Library
• deploy a new vm using the template on Content Library
• be able to view Content Library to see available OVF/OVA and templates

I created a group (AD-Group) and added to Global Permissions with the AD-ROLE and propagated to children.

The current (AD-ROLE) privileges has been configured, but when I deploy from template and try to select the compute resource it get this error:
You do not have permission to create a virtual machine from a library template in the selected resource. Select another location.

What is the missing privilege to be able to select the compute resource ?

Content Library

• Add library item
• Chek in a template
• Check out a template
• Create a subscription for a published library
• Delete library item
• Download files
• Evict library item
• Probe subscription information
• Publish a library item to its subscribers
• Publish a library ito its subscribers
• Read storage
• Sync library item
• Update files
• Update library
• Update library item
• Update local library
• View configuration settings

Datastore

• Allocate space
• Browse datastore
• Low level file operation

Network

• Assign network

Virtual machine

• Change Configuration
  • Add existing disk
  • Add new disk
  • Add or remove device
  • Change CPU count
  • Chamge Memory
• Edit Inventory
  • Create from existing
  • Create new
• Interaction
  • Answer question
  • Backup operation on virtual machine
  • Configure CD media
  • Configure floppy media
  • Connect devices
  • Console interaction
  • Create screenshot
  • Defragment all disks
  • Drag and drop
  • Guest operation system management by VIX API
  • Inject USB HID scan codes
  • Install VMware Tools
  • Pause or Unpause
  • Perform wipe or shrink operations
  • Power off
  • Power on
  • Reset
  • Suspend
  • privilege.VirtualMachine.Interact.SuspendToMemory.label
• Provisioning
  • Clone template
  • Clone virtual machine
  • Create template from virtual machine
  • Customize guest
  • Deploy template
  • Mark as template
  • Mark as virtual machine

I am running into the same issue. FWIW

I am also having this issue. Were you able to find a solution?

You need to provide vApp.Import permissions.

You are probably using OVF/OVA templates.

This was it for me - thanks! Of course, Content Library and vApp are related. 

This has not worked for me

Confirmed, this worked for me. I wouldn't have thought a Content Library error message of "You do not have permission to create a virtual machine from a library template in the selected resource. Select another location." would be fixed via a vApp permission vApp Privileges (vmware.com).

Thanks!

This solved my issue. Thank you, friend. 

You have to create a custom role with desired permissions you want to give to end user. Like create a custome role AD-ROLE with privileges you want to give, then create a user e.g User1 and assign this user the role AD-ROLE in the Datacenter permissions and assign role "content library administrator" to the same user (User1) in Global Permissions.

Hope this will solve your concern.

Regards,

Sachchidanand

@Joern_Ravnsbaek, its looks like the missing privilege you need to assign is vApp.Import. Since you are likely using OVF/OVA templates, this privilege is required to deploy a virtual machine from a library template. Try adding this privilege to your AD-ROLE and see if it resolves the issue.

I am sharing this based on my expertise and experience, aiming to provide a clear analysis of the underlying cause of this issue and a reliable approach to resolving it effectively.

Root Cause:

The error message "You do not have permission to create a virtual machine from a library template in the selected resource. Select another location." occurs because the AD-ROLE lacks the necessary privileges to deploy a virtual machine from a Content Library template to the selected compute resource.

The missing privilege is vApp.Import, which is required when deploying OVF/OVA templates from the Content Library. Without this privilege, the system prevents the user from selecting the compute resource for deployment.

Additionally, ensure that the AD-ROLE has the following privileges:

1. Datastore → Allocate space (Required for storage allocation)

2. Resource → Assign virtual machine to resource pool (Required for selecting compute resources)

3. Virtual Machine → Provisioning → Deploy template (Required for deploying templates)

4. Virtual Machine → Provisioning → Clone template (Required for cloning templates)

5. Virtual Machine → Provisioning → Customize guest (Required for guest customization)

Resolution Steps:

1. Grant the missing privilege:

   • Navigate to vCenter Server.

   • Go to Administration → Roles.

   • Edit the AD-ROLE and add the vApp.Import privilege.

2. Verify permissions propagation:

   • Ensure that the AD-Group is assigned to Global Permissions and propagated to child objects.

   • Check if the permissions are correctly applied to Clusters, Resource Pools, Datastores, and Networks.

3. Check access to the source template:

   • If the template is stored in a restricted folder or cluster, users may lack access.

   • Convert the template back to a VM, move it to an accessible location, and then reconvert it to a template.

4. Validate datastore permissions:

   • Ensure that the Allocate space privilege is assigned to the datastore where the template resides.

5. Test deployment:

   • Try deploying a VM from the template again and verify if the issue is resolved.Thanks.