I was trying to deploy a new VM from a vSphere template, but I kept getting the error: “you do not have permissions to assign this network”
I was using a domain account that’s explicitly granted the Administrator role at the top level of vCenter, so this shouldn’t happen! I checked the Logical Switch I was trying to assign, permissions look good, so I checked the Template. Same thing, permissions look good.
I logged in with the local administrator account, [email protected], and got the exact same error. Now I know local admin should have global admin permissions, so something else is broken.
The only thing I could think of is the template lives in Cluster1, which is a vSAN cluster on it’s own Transport Zone, while I’m trying to deploy the VM to Cluster2, a separate vSAN cluster in a different Transport Zone.
I cloned the template to a new template, but picked Cluster2 as the storage for the new template. That clone worked fine.
From there, I deployed a new VM from “Cluster2-Template” and immediately saw the same error, but the Port Group was blank. Once I assigned the Logical Switch, I was able to deploy the new VM and it worked fine.
The problem?
It appears that because the source template is in a different cluster, VDS, and Transport Zone than my target cluster, the Logical Switch cannot be assigned. I tested deploying to a Distributed Port Group on the Cluster2 VDS and that worked fine.
The fix?
I simply made the template available within the same vSAN cluster and the clone worked. I’m unclear if it’s specific to the source cluster not being in the NSX Transport Zone, but then I ran into something else strange. After I cloned the template to Cluster2, then deployed a new VM from “Cluster2-Template”, I was able to then deploy a new VM from “Cluster1-Template” onto the same Logical Switch that was denied previously.
I tried a handful of other times and sometimes I get “you do not have permissions to assign this network”, so I’ll change the Logical Switch and it’ll pass validation, then I’ll click back, change the vNIC back to the Logical Switch that failed just seconds ago and it works. I got nothin. At a high level, though, making a new clone available in the same Cluster/VDS/Transport Zone seems to work more consistently, but it still failed once for me.
After cloning the template to the destination cluster, changing the vNIC port group setting on the VM before converting to template seems to work consistently.
I am having the same problem. In my case there is no NSX or VSAN, so those are unrelated to the problem. Even [email protected] gets the same error. So far no luck.
Sorry about the double post. But another thing I found was that the HTML5 client does not catch the error. It just fails silently to clone the VM. No error message, no nothing, the job just does not start. The web Client catches the error. FYI, I am running 6.5U1 fully patches. Will try it with 6.5U2 once I have it installed.
I am having this same issue,
I am running vcenter 6.5 u2,
Linked vCenters
Deploy from vCenter A to vCenter B
New vLan gets this error but if I select VM Network it works.
I checked permissions like mentioned before and also did it from [email protected] account with same results.
Quick update
If i deploy from template on vCenter B i do not get this error its only when I am trying to deploy from template on vCenter A linked to vCenter B if that helps.