Use the vSphere Client to view the privileges granted to vCenter users regardless of whether those users are defined in the default vSphere Single Sign-On domain or in an identity provider like Active Directory.

In addition to the roles and permissions described in Using vCenter Server Roles to Assign Privileges, the vCenter Server in your SDDC includes these predefined roles not present in your on-premises vCenter:
CloudAdmin Role
The CloudAdmin role has the privileges necessary to create and manage SDDC workloads and related objects such as storage policies, content libraries, vSphere tags, and resource pools. This role cannot access or configure objects that are supported and managed by VMware, such as hosts, clusters, and management virtual machines. The CloudAdmin role can create, clone, or modify non-default roles. For detailed information about the privileges assigned to this role, see CloudAdmin Privileges.

The CloudAdmin user can grant other users or groups read-only access to VMware Cloud on AWS vCenter management objects such as the Mgmt-ResourcePool, Management VMs folder, Discovered Virtual Machines folder, vmc-hostswitch, and vsanDatastore. Because this read-only access does not propagate to management objects, you cannot grant it as a Global Permission and instead must explicitly grant it for each management object. VMware Cloud on AWS runs a script once a day that updates any newly-created management objects (such as objects in a new cluster) so that the CloudAdmin user and CloudAdminGroup SSO group have the updated role applied. The script itself does not grant additional access to any user or group, so you'll need to wait until it completes before the CloudAdmin can use this workflow to grant read-only access to those objects.

On its own, the CloudAdmin role does not grant any access to management objects. As a member of the CloudAdminGroup, the CloudAdmin@vmc.local account inherits group permissions, which include read-only access to the management objects.

VMware Cloud on AWS also defines a set of Service Roles that you manage in the VMware Cloud Services console and a set of Organization Roles that are assigned as part of inviting new users. These roles can further restrict the rights that organization members have to vSphere objects in the SDDC. See Assign a Service Role to an Organization Member and Invite a New User.

For information about using vSphere automation tools such as PowerCLI or the vSphere Terraform Provider to create custom vCenter Server roles, see Custom vCenter Server Role using vSphere Terraform Provider on VMware Cloud on AWS.


  1. Log in to VMware Cloud Services at
  2. Click Inventory > SDDCs, then pick an SDDC card and click OPEN VCENTER.
  3. Use the vSphere Client to select an object in the object hierarchy, for example a resource pool or virtual machine, and click Permissions.
  4. You can then view the privileges associated with each group.
    1. On the vSphere Client Home page, click Administration.
    2. Under Access Control, click Roles.
    3. Click a role name (CloudAdmin, for example).
    4. Click the Privileges tab on the right.


You can scroll through the list to see the privileges granted to the selected role. See Defined Privileges for a detailed list of all vSphere privileges.