The vCenter Single Sign-On domain (vsphere.local by default) includes several predefined groups. Add users to one of those groups to enable them to perform the corresponding actions.
See Managing vCenter Single Sign-On Users and Groups.
For all objects in the vCenter Server hierarchy, you can assign permissions by pairing a user and a role with the object. For example, you can select a resource pool and give a group of users read privileges to that resource pool object by giving them the corresponding role.
For some services that are not managed by vCenter Server directly, membership in one of the vCenter Single Sign-On groups determines the privileges. For example, a user who is a member of the Administrators group can manage vCenter Single Sign-On. A user who is a member of the CAAdmins group can manage the VMware Certificate Authority, and a user who is in the LicenseService.Administrators group can manage licenses.
The following groups are predefined in vsphere.local. Many of these groups are internal to vsphere.local or give users high-level administrative privileges. Add users to any of these groups only after careful consideration of the risks.
| Privilege | Description |
|---|---|
| Users | Users in the vCenter Single Sign-On domain (vsphere.local by default). |
| SolutionUsers | Solution users group for vCenter services. Each solution user authenticates individually to vCenter Single Sign-On with a certificate. By default, VMCA provisions solution users with certificates. Do not add members to this group explicitly. |
| CAAdmins | Members of the CAAdmins group have administrator privileges for VMCA. Do not add members to this group unless you have compelling reasons. |
| DCAdmins | Members of the DCAdmins group can perform Domain Controller Administrator actions on VMware Directory Service.
Note: Do not manage the domain controller directly. Instead, use the
vmdir CLI or the
vSphere Client to perform corresponding tasks.
|
| SystemConfiguration.BashShellAdministrators | A user in this group has full access to all the Appliance Management APIs. By default, a user who connects to the vCenter Server with SSH can access only commands in the restricted shell, but users in this group have Bash Shell Access over SSH and gain full privileges similar to the root user. |
| ActAsUsers | Members of Act-As Users are allowed to get Act-As tokens from vCenter Single Sign-On. |
| ExternalIDPUsers | This internal group is not used by vSphere. VMware vCloud Air requires this group. |
| SystemConfiguration.Administrators | Members of the SystemConfiguration.Administrators group can view and manage the system configuration in the vCenter Server Management Interface running on port 5480. These users can view services, start and restart services, and troubleshoot services. These users can also access Appliance Management APIs except for those APIs that modify critical system configurations. |
| DCClients | This group is used internally to allow the management node access to data in VMware Directory Service.
Note: Do not modify this group. Any changes might compromise your certificate infrastructure.
|
| ComponentManager.Administrators | Members of the ComponentManager.Administrators group can invoke component manager APIs that register or unregister services, that is, modify services. Membership in this group is not necessary for read access on the services. |
| LicenseService.Administrators | Members of LicenseService.Administrators have full write access to all licensing-related data and can add, remove, assign, and unassign serial keys for all product assets registered in the licensing service. |
| Administrators | Administrators of the VMware Directory Service (vmdir). Members of this group can perform vCenter Single Sign-On administration tasks. Do not add members to this group unless you have compelling reasons and understand the consequences. |
| TrustedAdmins | Members of this group can perform VMware® vSphere Trust Authority™ configuration and administration tasks. By default, this group does not contain any members. You must add a member to this group so that you can perform vSphere Trust Authority tasks. |
| AutoUpdate | This group is used internally for vCenter Cloud Gateway. |
| SyncUsers | This group is used internally for vCenter Cloud Gateway. |
| vSphereClientSolutionUsers | This group is used internally for the vSphere Client. |
| ServiceProviderUsers | Members of this group can manage the vSphere with Tanzu and VMware Cloud on AWS infrastructure. |
| NsxAdministrators | This group is used for NSX. |
| WorkloadStorage | Workload storage group. |
| RegistryAdministrators | Members of this group can manage the registry. |
| NsxAuditors | This group is used for NSX. |
| NsxViAdministrators | This group is used for NSX. |
| SystemConfiguration.SupportUsers | Members of the SystemConfiguration.SupportUsers group can access the support bundle API. |
| SystemConfiguration.ReadOnly | Members of this group can access vCenter Server Appliance read-only operations under Appliance Management. |
| VCLSAdmin | Members of this group have administrative privileges for vSphere Cluster Services (vCLS). |
| AnalyticsService.Administrators | This group is used for the VMware Analytics Service APIs. |
| vStatsGroup | This group is used for vStats collection. |
