ESXi grants access to objects only to users who are assigned permissions for the object. When you assign a user permission for the object, you do so by pairing the user with a role. A role is a predefined set of privileges. For more information about privileges, see the vSphere Security documentation.

ESXi hosts provide three default roles, and you cannot change the privileges associated with these roles. Each subsequent default role includes the privileges of the previous role. For example, the Administrator role inherits the privileges of the Read Only role. Roles that you create do not inherit privileges from any of the default roles.

You can create custom roles by using the role-editing functions in the VMware Host Client to create privilege sets that match your user needs. Also, the roles you create directly on a host are not accessible in vCenter Server. You can work with these roles only if you log in to the host directly from the VMware Host Client.

Note: When you add a custom role and do not assign any privileges to it, the role is created as a read-only role with the System.Anonymous, System.View, and System.Read system-defined privilege.

If you manage an ESXi host through vCenter Server, maintaining custom roles in the host and vCenter Server can result in confusion and misuse. In this type of configuration, maintain custom roles only in vCenter Server.

You can create host roles and set permissions through a direct connection to the ESXi host with the VMware Host Client.