In the VMware Host Client, permissions refer to the access roles assigned to users for various objects, such as virtual machines or ESXi hosts. The roles allow users to perform various tasks on the assigned objects.

For example, to configure memory for the host, a user must be granted a role that includes the Host.Configuration.Memory Configuration privilege. By assigning different roles to users for different objects, you can control the tasks that users can perform by using the VMware Host Client.

When connecting directly to a host with the VMware Host Client, the root and vpxuser user accounts have the same access rights as any user assigned the Administrator role on all objects.

All other users initially have no permissions on any object, which means the users cannot view or perform tasks on these objects. A user with Administrator privileges must assign permissions to these users to allow them to perform tasks.

Many tasks require permissions on more than one object. The following rules can help you determine which roles to assign to users to allow particular tasks:

  • Any task that consumes hard disk space, such as creating a virtual disk or taking a snapshot, requires the Datastore.Allocate Space privilege on the target datastore and the privilege to perform the operation itself.
  • Each host and cluster has its own implicit resource pool that contains all the resources of that host or cluster. Deploying a virtual machine directly to a host or cluster requires the Resource.Assign Virtual Machine to Resource Pool privilege.

The list of privileges is the same for both ESXi and vCenter Server.

You can create roles and set permissions through a direct connection to the ESXi host.

Permission Validation

vCenter Server and ESXi hosts that use Active Directory regularly validate users and groups against the Windows Active Directory domain. Validation occurs whenever the host system starts and at regular intervals specified in the vCenter Server settings.

For example, if user Smith was assigned permissions and in the domain the user’s name was changed to Smith2, the host concludes that Smith no longer exists and removes permissions for that user when the next validation occurs.

Similarly, if user Smith is removed from the domain, all permissions are removed when the next validation occurs. If a new user Smith is added to the domain before the next validation occurs, the new user Smith receives all the permissions the old user Smith was assigned.

Assign Permissions to a User for an ESXi Host in the VMware Host Client

To perform particular activities on an ESXi host, a user must have permissions that are associated with a particular role. In the VMware Host Client, you can assign roles to users and give the users the permissions necessary to perform various tasks on the host.

Procedure

  1. Right-click Host in the VMware Host Client inventory and click Permissions.
    The Manage Permissions window appears.
  2. Click Add user.
  3. From the Select a user text box and select the user that you want to assign a role to.
  4. Click the arrow next to the Select a role text box and select a role from the list.
  5. (Optional) Select Propagate to all children or Add as group.
    If you set a permission at a vCenter Server level and propagate it to the children objects, the permission applies to data centers, folders, clusters, hosts, virtual machines, and other objects in the vCenter Server instance.
  6. Click Add user and click Close.

Remove Permissions for a User in the VMware Host Client

Removing a permission for a user does not remove the user from the list of users available. It also does not remove the role from the list of available items. It removes the user and role pair from the selected inventory object.

Procedure

  1. Right-click Host in the VMware Host Client inventory and click Permissions.
    The Manage permissions window appears.
  2. Select a user from the list and click Remove user.
  3. Click Close.

Assign User Permissions for a Virtual Machine in the VMware Host Client

Assign a role to a particular user to give that user permissions to perform specific tasks on a virtual machine.

Procedure

  1. Click Virtual Machines in the VMware Host Client inventory.
  2. Right-click a virtual machine from the list and select Permissions.
    The Manage permissions window appears.
  3. Click Add user.
  4. Click the arrow next to the Select a user text box and select the user that you want to assign a role for.
  5. Click the arrow next to the Select a role text box and select a role from the list.
  6. (Optional) Select Propagate to all children.
    If you set a permission at a vCenter Server level and propagate it to the children objects, the permission applies to data centers, folders, clusters, hosts, virtual machines, and similar objects in the vCenter Server instance.
  7. Click Add user and click Close.

Remove Permissions for a Virtual Machine in the VMware Host Client

To make a user unable to perform tasks on a particular virtual machine, remove the permissions of the user for that virtual machine.

Removing a permission for a user does not remove the user from the list of users available. It also does not remove the role from the list of available items. It removes the user and role pair from the selected inventory object.

Procedure

  1. Click Virtual Machines in the VMware Host Client inventory.
  2. Right-click a virtual machine from the list and select Permissions.
    The Manage permissions window appears.
  3. Select a user from the list and click Remove user.
  4. Click Close.