For ESXi, permissions are defined as access roles that consist of the roles assigned to a user for different objects such as a virtual machine or ESXi host. Permissions grant users the right to perform the activities specified by the role on the object to which the role is assigned.
For example, to configure memory for the host, a user must be granted a role that includes the privilege. By assigning different roles to users for different objects, you can control the tasks that users can perform by using the VMware Host Client.
When connecting directly to a host with the VMware Host Client, the root and vpxuser user accounts have the same access rights as any user assigned the Administrator role on all objects.
All other users initially have no permissions on any object, which means the users cannot view or perform tasks on these objects. A user with Administrator privileges must assign permissions to these users to allow them to perform tasks.
Many tasks require permissions on more than one object. The following rules can help you determine which roles to assign to users to allow particular tasks:
- Any task that consumes hard disk space, such as creating a virtual disk or taking a snapshot, requires the privilege on the target datastore and the privilege to perform the operation itself.
- Each host and cluster has its own implicit resource pool that contains all the resources of that host or cluster. Deploying a virtual machine directly to a host or cluster requires the privilege.
The list of privileges is the same for both ESXi and vCenter Server.
You can create roles and set permissions through a direct connection to the ESXi host.
