Authentication and authorization govern access. Each user must authenticate with vCenter Single Sign-On before accessing vSphere components. Each user must also be authorized to view or manipulate vSphere objects.

Authentication and authorization govern access. Each user must authenticate with vCenter Single Sign-On before accessing vSphere components. Each user must also be authorized to view or manipulate vSphere objects. vSphere supports several different authorization mechanisms, discussed in detail in Understanding Authorization in vSphere.

Roles in VMware Cloud on AWS

In an on-premises environment, the administrator@vsphere.local user has the Administrator role on the top-level vCenter Server. The Administrator role includes all defined privileges.

In VMware Cloud on AWS, the cloudadmin@vmc.local has both the CloudAdmin and the CloudGlobalAdmin role. These two roles together have all the privileges that you need for managing your SDDC. However, they do not include all the privileges that the Administrator role includes. See Privileges Reference for CloudAdmin and CloudGlobalAdmin for details on the privileges for these two roles.

vSphere Authentication Basics

vCenter Server allows fine-grained control over authorization with permissions and roles. When you assign a permission to an object in the vCenter Server object hierarchy, you specify which user or group has which privileges on that object. To specify the privileges, you use roles, which are sets of privileges.

Only the cloudadmin@vmc.local user is initially authorized to log in to VMware Cloud on AWS. That user can then add users and give privileges to users. In VMware Cloud on AWS you can perform the following user management tasks.

Task

Description

Add one or more identity sources.

The users in the corresponding domains can then authenticate.

Manage object-level permissions.

An object-level permission defines which group has which role on an object. For example, a certain group of users might have the ReadOnly role on a virtual machine folder and another group of users might have the Administrator role on a virtual machine folder.

Manage global permissions

Global permissions are relevant in an on-premises environment if your SDDC has multiple components. In VMware Cloud on AWS they apply to tags and content library.