You authorize a user or group to perform tasks on vCenter objects by using permissions on the object.
- vCenter Server Permissions
The permission model for vCenter Server systems relies on assigning permissions to objects in the object hierarchy. Each permission gives one user or group a set of privileges, that is, a role for a selected object. For example, you can select an ESXi host in the object hierarchy and assign a role to a group of users. That role gives those users the corresponding privileges on that host.
- Global Permissions
- Global permissions are applied to a global root object that spans solutions. For example, if both vCenter Server and vRealize Orchestrator are installed, you can use global permissions. For example, you can give a group of users Read permissions to all objects in both object hierarchies.
- Global permissions are replicated across the vsphere.local domain. Global permissions do not provide authorization for services managed through vsphere.local groups. See Global Permissions.
- Group Membership in vsphere.local Groups
- The user of the vCenter Single Sign-On domain, email@example.com by default, can perform tasks that are associated with services that are included with the Platform Services Controller. Members of a vsphere.local group can perform certain tasks. For example, you can perform license management if you are a member of the LicenseService.Administrators group. See the Platform Services Controller Administration documentation.
- ESXi Local Host Permissions
- If you are managing a standalone ESXi host that is not managed by a vCenter Server system, you can assign one of the predefined roles to users. See the vSphere Single Host Management - VMware Host Client documentation.
- For managed hosts, assign roles to the ESXi host object in the vCenter Server inventory.