In most cases, you give privileges to users by assigning permissions to ESXi host objects that are managed by a vCenter Server system. If you are using a standalone ESXi host, you can assign privileges directly.

Assiging Permissions to ESXi Hosts that Are Managed by vCenter Server

If your ESXi host is managed by a vCenter Server, perform management tasks through the vSphere Web Client.

You can select the ESXi host object in the vCenter Server object hierarchy and assign the administrator role to a limited number of users who might perform direct management on the ESXi host. See Using Roles to Assign Privileges.

Best practice is to create at least one named user account, assign it full administrative privileges on the host, and use this account instead of the root account. Set a highly complex password for the root account and limit the use of the root account. (Do not remove the root account.)

Assigning Permissions to Standalone ESXi Hosts

If your environment does not include a vCenter Server system, the following users are predefined.

You can add local users and define custom roles from the Management tab of the vSphere Client.

For all versions of ESXi, you can see the list of predefined users in the /etc/passwd file.

The following roles are predefined:

Read Only

Allows a user to view objects associated with the ESXi host but not to make any changes to objects.


Administrator role.

No Access

No access. This is the default. You can override the default as appropriate.

You can manage local users and groups and add local custom roles to an ESXi host using a vSphere Client connected directly to the ESXi host.

Starting with vSphere 6.0, you can use ESXCLI account management commands for managing ESXi local user accounts. You can use ESXCLI permission management commands for setting or removing permissions on both Active Directory accounts (users and groups) and on ESXi local accounts (users only).


If you define a user for the ESXi host by connecting to the host directly, and a user with the same name also exists in vCenter Server, those users are different. If you assign a role to one of the users, the other user is not assigned the same role.