By default, the vCenter Server Administrator role lets users interact with files and programs within a virtual machine's guest operating system. To reduce the risk of breaching guest confidentiality, availability, or integrity, create a nonguest access role without the Guest Operations privilege.

About this task

For security, be as restrictive about allowing access to the virtual datacenter as you are to the physical datacenter. To avoid giving users full administrator access, apply the nonguest access role to users who require administrator privileges, but who are not authorized to interact with files and programs within a guest operating system.

For example, a configuration might include a virtual machine on the infrastructure that has sensitive information on it. Tasks such as migration with vMotion and Storage vMotion require that the IT role has access to the virtual machine. In this case, you want to disable some remote operations within a guest OS to ensure that the IT role cannot access the sensitive information.


Verify that you have Administrator privileges on the vCenter Server system where you create the role.


  1. Log in to the vSphere Web Client as a user who has Administrator privileges on the vCenter Server system where you will create the role.
  2. Click Administration and select Access > Roles.
  3. Click the Create role icon and type a name for the role.

    For example, type Administrator No Guest Access.

  4. Select All Privileges.
  5. Deselect All Privileges > Virtual machine > Guest Operations to remove the Guest Operations set of privileges.
  6. Click OK.

What to do next

Assign users who require Administrator privileges without guest access privileges to the newly created role, ensuring that these users are removed from the default Administrator role.