To allow your Active Directory users and groups to log in to the vSphere Web Client using their Active Directory credentials and access the vCenter Server objects and the objects from the vSphere products that integrate with the vSphere Web Client, you can use the Global Permissions area in the vSphere Web Client to grant them the appropriate permissions. This would give the users and groups access to all current and future workload domains. Do not use this feature if you want to provide the users or groups limited access to a single workload domain.

The ability to log in to the vSphere Web Client, access inventory objects, and perform operations on those objects is granted by the rights associated with the role that is assigned to the user or group.


Add the Active Directory as an identity source by following the steps in Configure an Active Directory Domain as an Identity Source for your Cloud Foundation System.


  1. Open the view of the management domain's vCenter Server resources in the vSphere Web Client.
    1. In the SDDC Manager Dashboard, navigate from the Dashboard page to view the management domain details.

      You drill down into the management domain details from the Workload Domains area on the dashboard.

    2. On the General Info page of the management domain's Domain Details screen, locate the vCenter launch link used to open the view of the domain's vCenter Server resources in the vSphere Web Client.

      One way to navigate to the management domain's General Info page from the Workload Domains page is to click List View and click the active link that is the name of the management domain.

    3. Launch the vSphere Web Client by clicking the vCenter launch link.

      The vSphere Web Client appears in a new browser tab, authenticated and accessing the management domain's vCenter Server resources.

  2. Navigate to Administration > Access Control > Global Permissions > Manage.
  3. On the Manage tab, add a user or group to the list by clicking the add () icon.
  4. In the Global Permission Root - Add Permission window, select the users and groups to which you want to grant permissions.
    1. At the bottom of the Users and Groups column, click Add.

      The Select Users/Groups window appears.

    2. Select your Active Directory domain in the Domain drop-down list.
    3. Use the selection list and the Add button to add the names of users and groups to the Users and Groups fields.
    4. Click OK to complete adding the selected users and groups to the Users and Groups column in the Global Permission Root - Add Permission window.
  5. Assign a role to users and groups.
    1. Select the users and groups in the Users and Groups column.
    2. In the Assigned Role column, select the role that you want to assign to the selected users and groups.
    3. Select the Propagate to children checkbox.
  6. When you have assigned the desired roles to the users and groups, click OK.


The users and groups are listed on the Manage tab and show their assigned roles.

For more information about managing permissions and user management in vCenter Server, see the vSphere 6.0 Security Guide located at