The vCenter Single Sign-On domain (vsphere.local by default) includes several predefined groups. Add users to one of those groups to enable them to perform the corresponding actions.
See Managing vCenter Single Sign-On Users and Groups.
For all objects in the vCenter Server hierarchy, you can assign permissions by pairing a user and a role with the object. For example, you can select a resource pool and give a group of users read privileges to that resource pool object by giving them the corresponding role.
For some services that are not managed by vCenter Server directly, membership in one of the vCenter Single Sign-On groups determines the privileges. For example, a user who is a member of the Administrator group can manage vCenter Single Sign-On. A user who is a member of the CAAdmins group can manage the VMware Certificate Authority, and a user who is in the LicenseService.Administrators group can manage licenses.
The following groups are predefined in vsphere.local.
| Privilege | Description |
|---|---|
| Users | Users in the vCenter Single Sign-On domain (vsphere.local by default). |
| SolutionUsers | Solution users group vCenter services. Each solution user authenticates individually to vCenter Single Sign-On with a certificate. By default, VMCA provisions solution users with certificates. Do not add members to this group explicitly. |
| CAAdmins | Members of the CAAdmins group have administrator privileges for VMCA. Do not add members to this group unless you have compelling reasons. |
| DCAdmins | Members of the DCAdmins group can perform Domain Controller Administrator actions on VMware Directory Service.
Note: Do not manage the domain controller directly. Instead, use the
vmdir CLI or
vSphere Client to perform corresponding tasks.
|
| SystemConfiguration.BashShellAdministrators | This group is available only for vCenter Server Appliance deployments. A user in this group can enable and disable access to the BASH shell. By default a user who connects to the vCenter Server Appliance with SSH can access only commands in the restricted shell. Users who are in this group can access the BASH shell. |
| ActAsUsers | Members of Act-As Users are allowed to get Act-As tokens from vCenter Single Sign-On. |
| ExternalIPDUsers | This internal group is not used by vSphere. VMware vCloud Air requires this group. |
| SystemConfiguration.Administrators | Members of the SystemConfiguration.Administrators group can view and manage the system configuration in the vSphere Client. These users can view, start and restart services, troubleshoot services, see the available nodes, and manage those nodes. |
| DCClients | This group is used internally to allow the management node access to data in VMware Directory Service.
Note: Do not modify this group. Any changes might compromise your certificate infrastructure.
|
| ComponentManager.Administrators | Members of the ComponentManager.Administrators group can invoke component manager APIs that register or unregister services, that is, modify services. Membership in this group is not necessary for read access on the services. |
| LicenseService.Administrators | Members of LicenseService.Administrators have full write access to all licensing-related data and can add, remove, assign, and unassign serial keys for all product assets registered in the licensing service. |
| Administrators | Administrators of the VMware Directory Service (vmdir). Members of this group can perform vCenter Single Sign-On administration tasks. Do not add members to this group unless you have compelling reasons and understand the consequences. |
