Permissions are access roles that consist of a user and the user’s assigned role for an object such as a virtual machine or ESXi host. Permissions grant users the right to perform the activities specified by the role on the object to which the role is assigned.

For example, to configure memory for the host, you must grant a role to a user that includes the Host > Configuration > Memory Configuration privilege. By assigning different roles to users for different objects, you control the tasks that users can perform in your vSphere environment.

Users other than root and vpxuser initially have no permissions on any objects, which means they cannot view these objects or perform operations on them. A user with Administrator privileges must assign permissions to these users to allow them to perform tasks.

The list of privileges is the same for ESXi and vCenter Server. See Defined Privileges for a complete list of privileges.

Multiple Permissions

Many tasks require permissions on more than one object.

Permissions applied on a child object always override permissions that are applied on a parent object. Virtual machine folders and resource pools are equivalent levels in the hierarchy. If you assign propagating permissions to a user or group on a virtual machine's folder and its resource pool, the user has the privileges propagated from the resource pool and from the folder.

If multiple group permissions are defined on the same object and the user belongs to two or more of those groups, two situations are possible:

  • If no permission is defined for the user on that object, the user is assigned the set of privileges assigned to the groups for that object.

  • If a permission is defined for the user on that object, the user's permission takes precedence over all group permissions.

Permission Examples

These rules can help you determine where you must assign permissions to allow particular operations:

  • Any operation that consumes storage space, such as creating a virtual disk or taking a snapshot, requires the Datastore > Allocate Space privilege on the target datastore, as well as the privilege to perform the operation itself.

  • Moving an object in the inventory hierarchy requires appropriate privileges on the object itself, the source parent object (such as a folder or cluster), and the destination parent object.

  • Each host and cluster has its own implicit resource pool that contains all the resources of that host or cluster. Deploying a virtual machine directly to a host or cluster requires the Resource > Assign Virtual Machine to Resource Pool privilege.