You can create custom vCenter Server roles by using PowerCLI.

CryptographicOperations.DirectAccess is required only when the virtual machine's storage has encryption policies.

Procedure

  1. Create a text file called CV_role_ids.txt and add the following content:
    System.Anonymous
    System.View
    System.Read
    Global.CancelTask
    Folder.Create
    Folder.Delete
    CryptographicOperations.DirectAccess
    Datastore.Browse
    Datastore.DeleteFile
    Datastore.FileManagement
    Datastore.AllocateSpace
    Datastore.UpdateVirtualMachineFiles
    Host.Local.CreateVM
    Host.Local.ReconfigVM
    Host.Local.DeleteVM
    VirtualMachine.Inventory.Create
    VirtualMachine.Inventory.CreateFromExisting
    VirtualMachine.Inventory.Register
    VirtualMachine.Inventory.Delete
    VirtualMachine.Inventory.Unregister
    VirtualMachine.Inventory.Move
    VirtualMachine.Interact.PowerOn
    VirtualMachine.Interact.PowerOff
    VirtualMachine.Interact.Suspend
    VirtualMachine.Config.AddExistingDisk
    VirtualMachine.Config.AddNewDisk
    VirtualMachine.Config.RemoveDisk
    VirtualMachine.Config.AddRemoveDevice
    VirtualMachine.Config.Settings
    VirtualMachine.Config.Resource
    VirtualMachine.Provisioning.Customize
    VirtualMachine.Provisioning.Clone
    VirtualMachine.Provisioning.PromoteDisks
    VirtualMachine.Provisioning.CreateTemplateFromVM
    VirtualMachine.Provisioning.DeployTemplate
    VirtualMachine.Provisioning.CloneTemplate
    VirtualMachine.Provisioning.MarkAsTemplate
    VirtualMachine.Provisioning.MarkAsVM
    VirtualMachine.Provisioning.ReadCustSpecs
    VirtualMachine.Provisioning.ModifyCustSpecs
    Resource.AssignVMToPool
    Task.Create
    Sessions.TerminateSession
    
  2. Modify the vCenter Server location in the following PowerShell script and run it:
    The CV_role_ids.txt file must be in the same folder as the PowerShell script.
    $cvRole = "App Volumes Role"
    $cvRolePermFile = "CV_role_ids.txt"
    $viserver = "your-vcenter-server-FQDN"
    Connect-VIServer -server $viServer
    $cvRoleIds = @()
    Get-Content $cvRolePermFile | Foreach-Object{
        $cvRoleIds += $_
    }
    New-VIRole -name $cvRole -Privilege (Get-VIPrivilege -Server $viserver -id $cvRoleIds) -Server $viserver
    Set-VIRole -Role $cvRole -AddPrivilege (Get-VIPrivilege -Server $viserver -id $cvRoleIds) -Server $viserver