The vsphere.local domain includes several predefined groups. Assign users to one of those groups to be able to perform the corresponding actions.

For all objects in the vCenter Server hierarchy, permissions are assigned by pairing a user and a role with the object. For example, you can select a resource pool and give a group of users read privileges to that resource pool by giving them the corresponding role.

For some services that are not managed by vCenter Server directly, privileges are determined by membership to one of the vCenter Single Sign-On groups. For example, a user who is a member of the Administrator group can manage vCenter Single Sign-On. A user who is a member of the CAAdmins group can manage the VMware Certificate Authority, and a user who is in the LicenseService.Administrators group can manage licenses.

The following groups are predefined in vsphere.local.


Many of these groups are internal to vsphere.local or give users high-level administrative privileges. Add users to any of these groups only after careful consideration of the risks.


Do not delete any of the predefined groups in the vsphere.local domain. If you do, errors with authentication or certificate provisioning might result.

Table 1. Groups in the vsphere.local Domain




Users in the vsphere.local domain.


Solution users group vCenter services. Each solution user authenticates individually to vCenter Single Sign-On with a certificate. By default, VMCA provisions solution users with certificates. Do not add members to this group explicitly.


Members of the CAAdmins group have administrator privileges for VMCA. Adding members to these groups is not usually recommended.


Members of the DCAdmins group can perform Domain Controller Administrator actions on VMware Directory Service.


Do not manage the domain controller directly. Instead, use the vmdir CLI or vSphere Web Client to perform corresponding tasks.


This group is available only for vCenter Server Appliance deployments.

A user in this group can enable and disable access to the BASH shell. By default a user who connects to the vCenter Server Appliance with SSH can access only commands in the restricted shell. Users who are in this group can access the BASH shell.


Members of Act-As Users are allowed to get actas tokens from vCenter Single Sign-On.


This group is not used by vSphere. This group is needed in conjunction with VMware vCloud Air.


Members of the SystemConfiguration.Administrators group can view and manage the system configuration in the vSphere Web Client. These users can view, start and restart services, troubleshoot services, see the available nodes and manage those nodes.


This group is used internally to allow the management node access to data in VMware Directory Service.


Do not modify this group. Any changes might compromise your certificate infrastructure.


Members of the ComponentManager.Administrators group can invoke component manager APIs that register or unregister services, that is, modify services. Membership in this group is not necessary for read access on the services.


Members of LicenseService.Administrators have full write access to all licensing related data and can add, remove, assign, and unassign serial keys for all product assets registered in licensing service.


Administrators of the VMware Directory Service (vmdir). Members of this group can perform vCenter Single Sign-On administration tasks. Adding members to this group is not usually recommended.