vCenter Server grants access to an object only to users who are assigned permissions for the object. When you assign a user permissions for the object, you pair the user with a role. A role is a predefined set of privileges.

vCenter Server provides three default roles. You cannot change the privileges associated with the default roles. The default roles are organized as a hierarchy; each role inherits the privileges of the previous role. For example, the Administrator role inherits the privileges of the Read Only role. Roles that you create do not inherit privileges from any of the default roles.

You can create custom roles for vCenter Server and all object it manages, or for individual hosts.

vCenter Server Custom Roles (Recommended)

You can create custom roles by using the role-editing facilities in the vSphere Web Client to create privilege sets that match your user needs.

ESXi Custom Roles

You can create custom roles for individual hosts by using a CLI or the vSphere Client. Custom host roles are not accessible from vCenter Server.

If you manage ESXi hosts through vCenter Server, maintaining custom roles in both the host and vCenter Server can result in confusion and misuse. In most cases, defining vCenter Server roles is recommended.


When you add a custom role and do not assign any privileges to it, the role is created as a Read Only role with three system-defined privileges: System.Anonymous, System.View, and System.Read.