The vCenter Single Sign-On domain (vsphere.local by default) includes several predefined groups. Add users to one of those groups to enable them to perform the corresponding actions.

See Managing vCenter Single Sign-On Users and Groups.

For all objects in the vCenter Server hierarchy, you can assign permissions by pairing a user and a role with the object. For example, you can select a resource pool and give a group of users read privileges to that resource pool object by giving them the corresponding role.

For some services that are not managed by vCenter Server directly, membership in one of the vCenter Single Sign-On groups determines the privileges. For example, a user who is a member of the Administrators group can manage vCenter Single Sign-On. A user who is a member of the CAAdmins group can manage the VMware Certificate Authority, and a user who is in the LicenseService.Administrators group can manage licenses.

The following groups are predefined in vsphere.local. Many of these groups are internal to vsphere.local or give users high-level administrative privileges. Add users to any of these groups only after careful consideration of the risks.

Caution: Do not delete any of the predefined groups in the vsphere.local domain. If you do, errors with authentication or certificate provisioning might result.
Table 1. Groups in the vsphere.local Domain
Privilege Description
Users Users in the vCenter Single Sign-On domain (vsphere.local by default).
SolutionUsers Solution users group for vCenter services. Each solution user authenticates individually to vCenter Single Sign-On with a certificate. By default, VMCA provisions solution users with certificates. Do not add members to this group explicitly.
CAAdmins Members of the CAAdmins group have administrator privileges for VMCA. Do not add members to this group unless you have compelling reasons.
DCAdmins Members of the DCAdmins group can perform Domain Controller Administrator actions on VMware Directory Service.
Note: Do not manage the domain controller directly. Instead, use the vmdir CLI or the vSphere Client to perform corresponding tasks.
SystemConfiguration.BashShellAdministrators A user in this group has full access to all the Appliance Management APIs. By default, a user who connects to the vCenter Server with SSH can access only commands in the restricted shell, but users in this group have Bash Shell Access over SSH and gain full privileges similar to the root user.
ActAsUsers Members of Act-As Users are allowed to get Act-As tokens from vCenter Single Sign-On.
ExternalIDPUsers This internal group is not used by vSphere. VMware vCloud Air requires this group.
SystemConfiguration.Administrators Members of the SystemConfiguration.Administrators group can view and manage the system configuration in the vCenter Server Management Interface running on port 5480. These users can view services, start and restart services, and troubleshoot services. These users can also access Appliance Management APIs except for those APIs that modify critical system configurations.
DCClients This group is used internally to allow the management node access to data in VMware Directory Service.
Note: Do not modify this group. Any changes might compromise your certificate infrastructure.
ComponentManager.Administrators Members of the ComponentManager.Administrators group can invoke component manager APIs that register or unregister services, that is, modify services. Membership in this group is not necessary for read access on the services.
LicenseService.Administrators Members of LicenseService.Administrators have full write access to all licensing-related data and can add, remove, assign, and unassign serial keys for all product assets registered in the licensing service.
Administrators Administrators of the VMware Directory Service (vmdir). Members of this group can perform vCenter Single Sign-On administration tasks. Do not add members to this group unless you have compelling reasons and understand the consequences.
TrustedAdmins Members of this group can perform VMware® vSphere Trust Authority™ configuration and administration tasks. By default, this group does not contain any members. You must add a member to this group so that you can perform vSphere Trust Authority tasks.
AutoUpdate This group is used internally for vCenter Cloud Gateway.
SyncUsers This group is used internally for vCenter Cloud Gateway.
vSphereClientSolutionUsers This group is used internally for the vSphere Client.
ServiceProviderUsers Members of this group can manage the vSphere with Tanzu and VMware Cloud on AWS infrastructure.
NsxAdministrators This group is used for NSX.
WorkloadStorage Workload storage group.
RegistryAdministrators Members of this group can manage the registry.
NsxAuditors This group is used for NSX.
NsxViAdministrators This group is used for NSX.
SystemConfiguration.SupportUsers Members of the SystemConfiguration.SupportUsers group can access the support bundle API.
SystemConfiguration.ReadOnly Members of this group can access vCenter Server Appliance read-only operations under Appliance Management.
VCLSAdmin Members of this group have administrative privileges for vSphere Cluster Services (vCLS).
AnalyticsService.Administrators This group is used for the VMware Analytics Service APIs.
vStatsGroup This group is used for vStats collection.