ESXi grants access to objects only to users who are assigned permissions for the object. When you assign a user permission for the object, you do so by pairing the user with a role.

A role is a predefined set of privileges. For more information about privileges, see the vSphere Security documentation.

ESXi hosts provide three default roles, and you cannot change the privileges associated with these roles. Each subsequent default role includes the privileges of the previous role. For example, the Administrator role inherits the privileges of the Read Only role. Roles that you create do not inherit privileges from any of the default roles.

You can create custom roles by using the role-editing functions in the VMware Host Client to create privilege sets that match your user needs. Also, the roles you create directly on a host are not accessible in vCenter Server. You can work with these roles only if you log in to the host directly from the VMware Host Client.

Note: When you add a custom role and do not assign any privileges to it, the role is created as a read-only role with the System.Anonymous, System.View, and System.Read system-defined privilege.

If you manage an ESXi host through vCenter Server, maintaining custom roles in the host and vCenter Server can result in confusion and misuse. In this type of configuration, maintain custom roles only in vCenter Server.

You can create host roles and set permissions through a direct connection to the ESXi host with the VMware Host Client.

Add a Role in the VMware Host Client

You can create roles to suit the access control needs of your environment.

Prerequisites

Verify that you are logged in as a user with Administrator privileges, such as root or vpxuser.

Procedure

  1. Click Manage in the VMware Host Client inventory and click Security & Users.
  2. Click Roles.
  3. Click Add role.
  4. Enter a name for the new role.
  5. Select privileges from the list to associate with the new role and click Add.

Update a Role in the VMware Host Client

When you edit a role, you can change the privileges selected for that role. When complete, these privileges are applied to any user or group that is assigned the edited role.

Prerequisites

Verify that you are logged in as a user with Administrator privileges, such as root or vpxuser.

Procedure

  1. Click Manage in the VMware Host Client inventory and click Security & Users.
  2. Click Roles.
  3. Select a role from the list and click Edit role.
  4. Update the role details and click Save.

Remove a Role in the VMware Host Client

When you remove a role that is not assigned to any users or groups, the definition is removed from the list of roles. When you remove a role that is assigned to a user or group, you can remove assignments or replace them with an assignment to another role.

Caution: You must understand how users will be affected before removing all assignments or replacing them. Users who have no permissions granted to them cannot log in.

Prerequisites

Verify that you are logged in as a user with Administrator privileges, such as root or vpxuser.

Procedure

  1. Click Manage in the VMware Host Client inventory and click Security & Users.
  2. Click Roles.
  3. Select the name of the role that you want to remove from the list.
  4. Click Remove role, select Remove only if unused, and click Yes.