NVP vProxy: Image Restore Fails "ServerFaultCode: Permission to perform this operation was denied."

A Virtual Machine (VM) restore is performed using the NetWorker VMware Protection (NVP) vProxy appliance fails.
The error returned is "ServerFaultCode: Permission to perform this operation was denied." For example:

159373:nsrvproxy_recover: vProxy Log: 2025-03-12T19:54:02Z ERROR:  [@(#) Build number: 177] Unable to create the directory "[vsanDatastore] win-client01.amer.lan_1" in datastore: ServerFaultCode: Permission to perform this operation was denied.
159373:nsrvproxy_recover: vProxy Log: 2025-03-12T19:54:02Z WARN:   [@(#) Build number: 177] RecoverVMSessions "1e3ef2fc-d334-4433-aff1-7e643c4e1f56" cleaning up running recover session due to error.
159373:nsrvproxy_recover: vProxy Log: 2025-03-12T19:54:02Z INFO:   [@(#) Build number: 177] Disconnected from session on vCenter 'vcsa.amer.lan'.
159373:nsrvproxy_recover: vProxy Log: 2025-03-12T19:54:02Z ERROR:  [@(#) Build number: 177] Failed to recover to a new VM. ServerFaultCode: Permission to perform this operation was denied.

The ProxyHC utility reports no permissions issues for the user account used to add the vCenter to NetWorker:

nsr-vproxy01:~ # /home/admin/ProxyHC perm
...
Info: Checking vCenter access
        Please specify vCenter USER name for vcsa.amer.lan: networker_user@vsphere.local
        Please provide vCenter server password:
        Info: Validating vCenter server connectivity -------> Passed
Info: Checking vCenter user permissions
        Info: Looking for user permissions to root object -------> Passed
        Info: Looking for privileges for role -------> Passed
...

nsr-vproxy01:~ # cat /tmp/proxy-hc.log
...
INFO   Checking vCenter user permissions
INFO   -------> Using: vsphere.local\networker_user
INFO   -------> Found role ID: -1
INFO   -------> Successful

NVP-vProxy: How to use health check tool ProxyHC on vProxy appliance
 

The NSR hypervisor user (VMware account used to add the vCenter to NetWorker), belongs to multiple VMware groups. The group containing all the required permissions to perform NetWorker VMware Protection is defined at the vCenter root level, so ProxyHC reports no issue. Another, more restrictive, group is defined at another level in the vCenter.

For example, the user networker_user is defined with Administrator permissions on the vCenter root object:


However, the user also belongs to another (more restrictive group) defined at the data center level:


More restrictive permissions at the data center level override root level permissions, causing the ServerFaultCode error during the restore.

Confirm which account is used by NetWorker to communicate with VMware. 

This can be done from the NetWorker Management Console (NMC). Go to Protection > VMware View. Right-click the vCenter, then click Modify Properties:

Alternatively, the nsradmin command can be used on the NetWorker server:

[root@nsr ~]# nsradmin
NetWorker administration program.
Use the "help" command for help, "visual" for full-screen mode.
nsradmin> show name; username
nsradmin> print type: nsr hypervisor
                        name: vcsa.amer.lan;
                    username: networker_user@vsphere.local;
nsradmin> quit

The VMware Administrator must review what VMware groups the VMware user account belongs to. Review the permissions on VMware objects to check if the user or group is restricted at a lower level, as shown in the Cause field example. The required permissions for the NetWorker VMware user account are defined in the NetWorker VMware Integration Guide. See: https://www.dell.com/support/product-details/product/networker/docs

Once the permissions are corrected, perform the VM restore from NetWorker.

The vCenter server/storage/log/vmware/applmgmt-audit/applmgmt-audit.log reports that the user is missing permissions. The error overlaps with the restore attempt:

2025-03-12T14:03:09.574: INFO Authorization Result: User=networker_user@amer.lan, priv=ModifyConfiguration, authorized=False

The errors observed can vary depending on the environment, how permissions were configured, and delegated on the VMware objects.

If no permissions errors are observed, see: NVP vProxy - Virtual Machine Image Recover failing with Error registering VM: ServerFaultCode: Permission to perform this operation was denied.