You authorize a user or group to perform tasks on vCenter objects by using permissions on the object.
vSphere 6.0 and later allows privileged users to give other users permissions to perform tasks. You can use global permissions, or you can use local
vCenter Server permissions to authorize other users for individual
vCenter Server instances.
- vCenter Server Permissions
-
The permission model for vCenter Server systems relies on assigning permissions to objects in the object hierarchy. Each permission gives one user or group a set of privileges, that is, a role for a selected object. For example, you can select an ESXi host in the object hierarchy and assign a role to a group of users. That role gives those users the corresponding privileges on that host.
- Global Permissions
- Global permissions are applied to a global root object that spans solutions. For example, if both vCenter Server and vRealize Orchestrator are installed, you can use global permissions. For example, you can give a group of users Read permissions to all objects in both object hierarchies.
- Group Membership in vsphere.local Groups
- The user of the vCenter Single Sign-On domain, [email protected] by default, can perform tasks that are associated with services that are included with the Platform Services Controller. Members of a vsphere.local group can perform certain tasks. For example, you can perform license management if you are a member of the LicenseService.Administrators group. See the Platform Services Controller Administration documentation.
