I deleted a previous thread related to this issue as it hadn't received any responses and I have some more details to provide.
We are running ESXi 5.1 on three clusters and manage them via VCenter. Traditionally we've used the normal vSphere for end-users to power on/off their VMs, but we are trying to move everyone to the vSphere Web Client. Unfortunately we've run into some issues that I'm hoping someone here can assist with.
The structure is pretty simple - two data centers, the three clusters divided between those and then resource groups under each of those which is where we apply our security settings. The security is very simple - one security level applied at the resource level using AD groups as the members. This has worked fine with the vSphere client and continues to work fine.
The problem we're running into us users receive the following error message when trying to power on VMs via the vSphere web client:
*****
The "Power on virtual machine" operation failed for the entity with the following error message.
Virtual machine cannot be found.
*****
After a long string of experiment I've figured out that if I apply the same security at the data center level everything works fine for the end-user. If I apply it at the cluster or resource group level they receive the error.
I tried applying a read-only (non-propigating) permission at the data center and cluster level and then appropriate permissions at the resource group, but that made no difference.
Can anyone explain to me what might be happening? I don't see anything interesting in the logs and am at a loss on how to troubleshoot this one.