Using vCenter Server Roles to Assign Privileges

In vCenter Server, a role is a predefined set of privileges that defines rights to perform actions and read properties. You create permissions by assigning a role to a user or group for an object. vCenter Server provides system roles and sample roles by default. You can also create custom roles.

Assigning Permissions in vCenter Server

When you assign permissions in vCenter Server, you pair a user or group with a role, and associate that pairing with an inventory object. For example, you can use the Virtual machine user sample role to allow a user to read and change virtual machine attributes.

A single user or group can have different roles for different objects in the inventory. For example, assume that you have two resource pools in your inventory, Pool A and Pool B. You can assign group Sales the Virtual machine user sample role on Pool A, and the Read-only role on Pool B. With these assignments, the users in group Sales can turn on virtual machines in Pool A, but can only view virtual machines in Pool B.

Users can schedule tasks only if they have a role that includes privileges to perform that task at the time the task is created.

What Are the Predefined vCenter Server Roles

vCenter Server provides predefined roles, as shown in the following table.

Table 1. Predefined vCenter Server Roles
Role Type	Role Names	Description
System	Administrator, Read-only, and No access.	System roles are permanent. You cannot delete system roles nor can you edit the privileges associated with these roles. The system roles are organized as a hierarchy. Each role inherits the privileges of the previous role. For example, the Administrator role inherits the privileges of the Read-only role. See the following section for more details on system roles.
Sample	vSphere provides a number of sample roles, for example, AutoUpdateUser, Resource pool administrator, and Virtual machine user.	vSphere provides sample roles for certain frequently performed combination of tasks. You can clone, modify, or remove these roles. Note: To avoid losing the predefined settings in a sample role, clone the role first and make modifications to the clone. You cannot reset the sample to its default settings.

To view the privileges associated with a role, navigate to the role in the vSphere Client (Menu > Administration > Roles) and click the Privileges tab.

To view all the vSphere privileges and descriptions, see Defined Privileges.

Note: Changes to roles and privileges take effect immediately, even if the users involved are logged in. The exception is searches, where changes take effect after the user has logged out and logged back in.

vCenter Server System Roles

System roles cannot be altered or deleted.

Administrator Role: Users with the Administrator role for an object are allowed to view and perform all actions on the object. This role also includes all privileges of the Read Only role. If you have the Administrator role on an object, you can assign privileges to individual users and groups.; If you are acting in the Administrator role in vCenter Server, you can assign privileges to users and groups in the default vCenter Single Sign-On identity source. See the vSphere Authentication documentation for supported identity services.; By default, the [email protected] user has the Administrator role on both vCenter Single Sign-On and vCenter Server after installation. That user can then associate other users with the Administrator role on vCenter Server.
Tip: Best practice is to create a user at the root level and assign the Administrator role to that user. After creating a named user with Administrator privileges, you can remove the root user from any permissions or change its role to No Access.
Read Only Role: Users with the Read Only role for an object are allowed to view the state of the object and details about the object. For example, users with this role can view virtual machine, host, and resource pool attributes, but cannot view the remote console for a host. All actions through the menus and toolbars are disallowed.
No Access Role: Users with the No Access role for an object cannot view or change the object in any way. New users and groups are assigned this role by default. You can change the role on an object-by-object basis.; The administrator of the vCenter Single Sign-On domain, [email protected] by default, the root user, and vpxuser are assigned the Administrator role by default. Other users are assigned the No Access role by default.

Custom Roles in vCenter Server and ESXi

You can create custom roles for vCenter Server and all objects that it manages, or for individual hosts.

vCenter Server Custom Roles (Recommended): Create custom roles by using the role-editing facilities in the vSphere Client to create privilege sets that match your needs.
ESXi Custom Roles: You can create custom roles for individual hosts by using a CLI or the VMware Host Client. See the vSphere Single Host Management - VMware Host Client documentation. Custom host roles are not accessible from vCenter Server.; If you manage ESXi hosts through vCenter Server, do not maintain custom roles in both the host and vCenter Server. Define roles at the vCenter Server level.

When you manage a host using vCenter Server, the permissions associated with that host are created through vCenter Server and stored on vCenter Server. If you connect directly to a host, only the roles that are created directly on the host are available.

Note: When you add a custom role and do not assign any privileges to it, the role is created as a Read Only role with three system-defined privileges: System.Anonymous, System.View, and System.Read. These privileges are not visible in the vSphere Client but are used to read certain properties of some managed objects. All the predefined roles in vCenter Server contain these three system-defined privileges. See the vSphere Web Services API documentation for more information.

Create a vCenter Server Custom Role

To suit the access control needs of your environment, you can create vCenter Server custom roles. You can create a role or clone an existing role.

You can create or edit a role on a vCenter Server system that is part of the same vCenter Single Sign-On domain as other vCenter Server systems. The VMware Directory Service (vmdir) propagates the role changes that you make to all other vCenter Server systems in the group. Assignments of roles to specific users and objects are not shared across vCenter Server systems.

Prerequisites

Verify that you have Administrator privileges on the vCenter Server system where you create the role.

Procedure

Log in to the vCenter Server by using the vSphere Client.
Select Administration and click Roles in the Access Control area.

Create the role.

Option	Description
To create a role	Click New. Enter a name for the new role. Select and deselect privileges for the role. Scroll the privilege categories and select all privileges or a subset of privileges for that category. You can show all, selected, or unselected categories. You can also show all, selected, or unselected privileges. See Defined Privileges for more information. Click Create.
To create the role by cloning	Select a role, and click Clone. Enter a name for the role. Click OK. Note: When creating a cloned role, you cannot change privileges. To change privileges, select the cloned role and click Edit.

What to do next

You can now create permissions by selecting an object and assigning the role to a user or group for that object.