A vCenter Single Sign-On administrator user can manage users and groups in the vsphere.local domain from the vSphere Client.

The vSphere Client presents a view of users and groups in your vSphere domain (vsphere.local by default). From this view, you can add, edit, and deactivate users. You can also add groups, and manage group membership.