After you create users and groups and define roles, you must assign the users and groups and their roles to the relevant inventory objects. You can assign the same permissions to multiple objects simultaneously by moving the objects into a folder and setting the permissions on the folder.

When you assign permissions from the vSphere Web Client, user and group names must match Active Directory precisely, including case. If you upgraded from earlier versions of vSphere, check for case inconsistencies if you experience problems with groups.


On the object whose permissions you want to modify, you must have a role that includes the Permissions.Modify permission privilege.


  1. Browse to the object for which you want to assign permissions in the vSphere Web Client object navigator.
  2. Click the Permissions tab.
  3. Click the Add icon, and click Add.
  4. Select the user or group that will have the privileges defined by the selected role.
    1. From the Domain drop-down menu, select the domain for the user or group.
    2. Type a name in the Search box or select a name from the list.
      The system searches user names, group names, and descriptions.
    3. Select the user or group and click Add.
      The name is added to either the Users or Groups list.
    4. (Optional) Click Check Names to verify that the user or group exists in the identity source.
    5. Click OK.
  5. Select a role from the Assigned Role drop-down menu.
    The roles that are assigned to the object appear in the menu. The privileges contained in the role are listed in the section below the role title.
  6. (Optional) To limit propagation, deselect the Propagate to Child Objects check box.
    The role is applied only to the selected object and does not propagate to the child objects.
  7. Click OK to add the permission.