A role is a predefined set of privileges. When you add permissions to an object, you pair a user or group with a role. vCenter Server includes some default system roles, which you cannot change.
vCenter Server provides a few default roles. You cannot change the privileges associated with the default roles. The default roles are organized as a hierarchy. Each role inherits the privileges of the previous role. For example, the Administrator role inherits the privileges of the Read Only role.
To view the privileges associated with a default role, navigate to the role in the vSphere Client () and click the Privileges tab.
To view all the vSphere privileges and descriptions, see Defined Privileges.
The vCenter Server role hierarchy also includes several sample roles. You can clone a sample role to create a similar role.
If you create a role, it does not inherit privileges from any of the system roles.
- Administrator Role
- Users with the Administrator role for an object are allowed to view and perform all actions on the object. This role also includes all privileges of the Read Only role. If you have the Administrator role on an object, you can assign privileges to individual users and groups.
- Read Only Role
- Users with the Read Only role for an object are allowed to view the state of the object and details about the object. For example, users with this role can view virtual machine, host, and resource pool attributes, but cannot view the remote console for a host. All actions through the menus and toolbars are disallowed.
- No Access Role
- Users with the No Access role for an object cannot view or change the object in any way. New users and groups are assigned this role by default. You can change the role on an object-by-object basis.
Best practice is to create a user at the root level and assign the Administrator role to that user. After creating a named user with Administrator privileges, you can remove the root user from any permissions or change its role to No Access.
