I have been working on a small test lab and need some assistance resolving what looks like a permissions issue. I am running the VC appliance 5.5, a single 5.1 host and vco 5.5.  SSO is configured with Active directory as a LDAP server and appears to work as I can sign in to VC and vcO using my AD Domain admin creds. In AD I created a test user called builder, and domain groups as follows: VCO Builders – builders account VCO Admins – my account Domain admin – my account In VC these 3 groups are all set to 'administrators' at the root level. In the SSO administrators group I added VCO Admins and Domain admins. I added the VCO Builders group to the SSO SolutionUsers group I think the issue is related to how this groups permissions map into VC. I have tried to make the user a domain admin, but that did not resolve it. I have been working through this workflow http://www.vcoteam.info/articles/learn-vco/54-create-a-simple-vco-self-service-vm-provisioning-porta.... When I run the workflow with my AD account it all works.  When I run it as builder, it fails after I answer the approval question.  The error is ‘Unable to execute action 'cloneVM', you have no 'execution' rights’ What am I missing?