The vCenter Single Sign-On domain (vsphere.local by default) includes several predefined groups. Add users to one of those groups to enable them to perform the corresponding actions.

See Managing vCenter Single Sign-On Users and Groups.

For all objects in the vCenter Server hierarchy, you can assign permissions by pairing a user and a role with the object. For example, you can select a resource pool and give a group of users read privileges to that resource pool object by giving them the corresponding role.

For some services that are not managed by vCenter Server directly, membership in one of the vCenter Single Sign-On groups determines the privileges. For example, a user who is a member of the Administrator group can manage vCenter Single Sign-On. A user who is a member of the CAAdmins group can manage the VMware Certificate Authority, and a user who is in the LicenseService.Administrators group can manage licenses.

The following groups are predefined in vsphere.local.

Note: Many of these groups are internal to vsphere.local or give users high-level administrative privileges. Add users to any of these groups only after careful consideration of the risks.
Note: Do not delete any of the predefined groups in the vsphere.local domain. If you do, errors with authentication or certificate provisioning might result.
Table 1. Groups in the vsphere.local Domain
Privilege Description
Users Users in the vCenter Single Sign-On domain (vsphere.local by default).
SolutionUsers Solution users group vCenter services. Each solution user authenticates individually to vCenter Single Sign-On with a certificate. By default, VMCA provisions solution users with certificates. Do not add members to this group explicitly.
CAAdmins Members of the CAAdmins group have administrator privileges for VMCA. Do not add members to this group unless you have compelling reasons.
DCAdmins Members of the DCAdmins group can perform Domain Controller Administrator actions on VMware Directory Service.
Note: Do not manage the domain controller directly. Instead, use the vmdir CLI or vSphere Web Client to perform corresponding tasks.
SystemConfiguration.BashShellAdministrators This group is available only for vCenter Server Appliance deployments.

A user in this group can enable and disable access to the BASH shell. By default a user who connects to the vCenter Server Appliance with SSH can access only commands in the restricted shell. Users who are in this group can access the BASH shell.

ActAsUsers Members of Act-As Users are allowed to get Act-As tokens from vCenter Single Sign-On.
ExternalIPDUsers This internal group is not used by vSphere. VMware vCloud Air requires this group.
SystemConfiguration.Administrators Members of the SystemConfiguration.Administrators group can view and manage the system configuration in the vSphere Web Client. These users can view, start and restart services, troubleshoot services, see the available nodes, and manage those nodes.
DCClients This group is used internally to allow the management node access to data in VMware Directory Service.
Note: Do not modify this group. Any changes might compromise your certificate infrastructure.
ComponentManager.Administrators Members of the ComponentManager.Administrators group can invoke component manager APIs that register or unregister services, that is, modify services. Membership in this group is not necessary for read access on the services.
LicenseService.Administrators Members of LicenseService.Administrators have full write access to all licensing-related data and can add, remove, assign, and unassign serial keys for all product assets registered in the licensing service.
Administrators Administrators of the VMware Directory Service (vmdir). Members of this group can perform vCenter Single Sign-On administration tasks. Do not add members to this group unless you have compelling reasons and understand the consequences.