You authorize a user or group to perform tasks on vCenter objects by using permissions on the object.

vSphere 6.0 and later allows privileged users to give other users permissions to perform tasks. You can use global permissions, or you can use local vCenter Server permissions to authorize other users for individual vCenter Server instances.

vCenter Server Permissions

The permission model for vCenter Server systems relies on assigning permissions to objects in the object hierarchy. Each permission gives one user or group a set of privileges, that is, a role for a selected object. For example, you can select an ESXi host in the object hierarchy and assign a role to a group of users. That role gives those users the corresponding privileges on that host.

Global Permissions

Global permissions are applied to a global root object that spans solutions. For example, if both vCenter Server and vRealize Orchestrator are installed, you can use global permissions. For example, you can give a group of users Read permissions to all objects in both object hierarchies.

Global permissions are replicated across the vsphere.local domain. Global permissions do not provide authorization for services managed through vsphere.local groups. See Global Permissions.

Group Membership in vsphere.local Groups

The user of the vCenter Single Sign-On domain, administrator@vsphere.local by default, can perform tasks that are associated with services that are included with the Platform Services Controller. Members of a vsphere.local group can perform certain tasks. For example, you can perform license management if you are a member of the LicenseService.Administrators group. See the Platform Services Controller Administration documentation.

ESXi Local Host Permissions

If you are managing a standalone ESXi host that is not managed by a vCenter Server system, you can assign one of the predefined roles to users. See the vSphere Single Host Management - VMware Host Client documentation.

For managed hosts, assign roles to the ESXi host object in the vCenter Server inventory.