Tl;dr: You need the vApp > Import permission to deploy templates from a Content Library. Read on for the full adventure.

I have mixed feelings about VMware’s documentation. On certain products or topics, I’ve found it to be quite good. On others, it can certainly be lacking. Among all of that though, the VMware community seems to always step in to fill the gap. Today was not one of those days.

I have to assume what I’ve discovered is one of the best kept secrets about vSphere. I read through all of the official documentation, scoured the internet for the best unofficial documentation, and even reached out to knowledgeable resources on the topic…all to no avail.

My problem was fairly simple: I needed to be able to delegate the permission for vSphere users to be able to deploy a VM from a Content Library template. In my opinion, vSphere’s permissions are very nice to work with. They are sensibly broken down into categories, have plain English names, and even come with a nice explanation for further clarity. After diving into the permissions stack to enable this new deployment requirement, I quickly found that nothing jumped out to me to be the answer. The explanations didn’t help at all either. I asked and read as much as I could in as many ways as I could before doing the supremely painful. I knew Administrators could deploy, but my VM users could not. There were a ton of permissions different between them, and enabling them one at a time did not sound like fun. After days of avoiding it, it was the only solution I had. So on I went.

I started at the top, giving full permission to each privilege category. Most of them didn’t make any sense, but I had to be sure. Alarms, Autodeploy, Certificates…nope. Content Library was already fully enabled from previous attempts. On and on I went, down the list, testing each change. I’ve always heard that what you’re looking for will be in the last place you look. (No kidding, right?) In this case, it was third to last. With the vApp category selected, the ability I was looking for revealed itself. Progress!

The next task was to hone in on the specific permission in that category that I was looking for. Here we go again. Instead of just going top to bottom, I picked the most sensible one available at the time, keeping track of what I’d tried. I’ll spare you the time…it’s Import. The permission I’ve been hunting for for days was vApp > Import. So much for intuitive permissions. But hey, I found it, and now you can too.