A role is a predefined set of privileges. Privileges define rights to perform actions and read properties. For example, the Virtual Machine Administrator role consists of read properties and of a set of rights to perform actions. The role allows a user to read and change virtual machine attributes.
When you assign permissions, you pair a user or group with a role and associate that pairing with an inventory object. A single user or group can have different roles for different objects in the inventory.
For example, if you have two resource pools in your inventory, Pool A and Pool B, you can assign a particular user the Virtual Machine User role on Pool A and the Read Only role on Pool B. These assignments allow that user to turn on virtual machines in Pool A, but to only view virtual machines in Pool B.
vCenter Server provides system roles and sample roles by default:
- System roles
- System roles are permanent. You cannot edit the privileges associated with these roles.
- Sample roles
VMware provides sample roles for certain frequently performed combination of tasks. You can clone, modify or remove these roles.
Note: To avoid losing the predefined settings in a sample role, clone the role first and make modifications to the clone. You cannot reset the sample to its default settings.
Users can schedule only tasks if they have a role that includes privileges to perform that task at the time the tasks are created.
Custom Roles in vCenter Server and ESXi
- vCenter Server Custom Roles (Recommended)
- Create custom roles by using the role-editing facilities in the vSphere Web Client to create privilege sets that match your needs.
- ESXi Custom Roles
- You can create custom roles for individual hosts by using a CLI or the vSphere Client. See the vSphere Administration with the vSphere Client documentation. Custom host roles are not accessible from vCenter Server.
- If you manage ESXi hosts through vCenter Server, maintaining custom roles in both the host and vCenter Server can result in confusion and misuse. In most cases, defining vCenter Server roles is recommended.