VMC has a similar but different permissions model to normal on-prem vCenters. Chief among the differences is that you don’t get access to an account that has full permissions over the vCenter. This makes sense as you could break some critical to the provision of the service. The highest level of access is a role called CloudAdmin.

There is a trap waiting for you though. When you are logged into the UI you can configure a role with privileges that CloudAdmin doesn’t have. You can’t use this role to grant permissions to a user/group, can’t modify or delete the role. You are stuck.

You’ll not get a particularly useful error message but using the technique in VMC on AWS Create, update, and remove roles with the MOB 76210 you can find out what privilege is causing the problem.

In this screenshot you can see that the role called RoleWithMorePrivilegesThanCloudAdmin cannot be modified because it has the Toggle Fork Parent privilege. And Toggle Fork Parent in one of a number of the Virtual machine privileges that CloudAdmin doesn’t have.

That’s interesting to know but you’ll need to open an SR and get the VMC backend team to remove the privileges.