vCenter Single Sign-On supports authentication, which means it determines whether a user can access vSphere components at all. In addition, each user must be authorized to view or manipulate vSphere objects.
vSphere supports several different authorization mechanisms, discussed in Understanding Authorization in vSphere. The focus of the information in this section is the vCenter Server permission model and how to perform user management tasks.
vCenter Server allows fine-grained control over authorization with permissions and roles. When you assign a permission to an object in the vCenter Server object hierarchy, you specify which user or group has which privileges on that object. To specify the privileges, you use roles, which are sets of privileges.
Initially, only the user email@example.com is authorized to log in to the vCenter Server system. That user can then proceed as follows:
Add an identity source in which additional users and groups are defined to vCenter Single Sign-On. See Add a vCenter Single Sign-On Identity Source.
Give privileges to a user or group by selecting an object such as a virtual machine or a vCenter Server system and assigning a role on that object to the user or group.