I was trying to deploy a new VM from a vSphere template, but I kept getting the error: “you do not have permissions to assign this network”

I was using a domain account that’s explicitly granted the Administrator role at the top level of vCenter, so this shouldn’t happen! I checked the Logical Switch I was trying to assign, permissions look good, so I checked the Template. Same thing, permissions look good.

I logged in with the local administrator account, administrator@vsphere.local, and got the exact same error. Now I know local admin should have global admin permissions, so something else is broken.

The only thing I could think of is the template lives in Cluster1, which is a vSAN cluster on it’s own Transport Zone, while I’m trying to deploy the VM to Cluster2, a separate vSAN cluster in a different Transport Zone.

I cloned the template to a new template, but picked Cluster2 as the storage for the new template. That clone worked fine.

From there, I deployed a new VM from “Cluster2-Template” and immediately saw the same error, but the Port Group was blank. Once I assigned the Logical Switch, I was able to deploy the new VM and it worked fine.

The problem?

It appears that because the source template is in a different cluster, VDS, and Transport Zone than my target cluster, the Logical Switch cannot be assigned. I tested deploying to a Distributed Port Group on the Cluster2 VDS and that worked fine.

The fix?

I simply made the template available within the same vSAN cluster and the clone worked. I’m unclear if it’s specific to the source cluster not being in the NSX Transport Zone, but then I ran into something else strange. After I cloned the template to Cluster2, then deployed a new VM from “Cluster2-Template”, I was able to then deploy a new VM from “Cluster1-Template” onto the same Logical Switch that was denied previously.

I tried a handful of other times and sometimes I get “you do not have permissions to assign this network”, so I’ll change the Logical Switch and it’ll pass validation, then I’ll click back, change the vNIC back to the Logical Switch that failed just seconds ago and it works.  I got nothin.  At a high level, though, making a new clone available in the same Cluster/VDS/Transport Zone seems to work more consistently, but it still failed once for me.