After you create users and groups and define roles, you must assign the users and groups and their roles to the relevant inventory objects. You can assign the same permissions at one time on multiple objects by moving the objects to a folder and setting the permissions on the folder.

Permissions assigned from the vSphere Web Client must match permissions, including case, in ActiveDirectory precisely. If you upgraded from earlier versions of vSphere, check for case inconsistencies if you experience problems with groups.


Permissions.Modify permission on the parent object of the object whose permissions you want to modify.


  1. Browse to the object in the vSphere Web Client object navigator.
  2. Click the Manage tab and select Permissions.
  3. Click Add Permission.
  4. Click Add.
  5. Identify the user or group that will have the permission.
    1. Select the domain where the user or group is located from the Domain drop-down menu.
    2. Type a name in the Search box or select a name from the list.
      The system searches user names, group names, and descriptions.
    3. Select the user or group and click Add.
      The name is added to either the Users or Groups list.
    4. (Optional) Click Check Names to verify that the user or group exists in the database.
    5. Click OK.
  6. Select a role from the Assigned Role drop-down menu.
    The roles that are assigned to the object appear in the menu. The privileges contained in the role are listed in the section below the role title.
  7. (Optional) Deselect the Propagate to Child Objects check box.
    The role is applied only to the selected object and does not propagate to the child objects.
  8. Verify that the users and groups are assigned to the appropriate permissions and click OK.
    The server adds the permission to the list of permissions for the object.

    The list of permissions references all users and groups that have roles assigned to the object and indicates where in the vCenter Server hierarchy the role is assigned.