Usually, you give privileges to users by assigning permissions to ESXi host objects that are managed by a vCenter Server system. If you are using a standalone ESXi host, you can assign privileges directly.

Assigning Permissions to ESXi Hosts That Are Managed by vCenter Server

If your ESXi host is managed by a vCenter Server, perform management tasks through the vSphere Client.

You can select the ESXi host object in the vCenter Server object hierarchy and assign the administrator role to a limited number of users. Those users can then perform direct management on the ESXi host. See Using vCenter Server Roles to Assign Privileges.

Best practice is to create at least one named user account, assign it full administrative privileges on the host, and use this account instead of the root account. Set a highly complex password for the root account and limit the use of the root account. Do not remove the root account.

Assigning Permissions to Standalone ESXi Hosts

You can add local users and define custom roles from the Management tab of the VMware Host Client. See the vSphere Single Host Management - VMware Host Client documentation.

For all versions of ESXi, you can see the list of predefined users in the /etc/passwd file.

The following roles are predefined.

Read Only
Allows a user to view objects associated with the ESXi host but not to make any changes to objects.
Administrator
Administrator role.
No Access
No access. This role is the default role. You can override the default role.

You can manage local users and groups and add local custom roles to an ESXi host using a VMware Host Client connected directly to the ESXi host. See the vSphere Single Host Management - VMware Host Client documentation.

In vSphere 6.0 and later, you can use ESXCLI account management commands for managing ESXi local user accounts. You can use ESXCLI permission management commands for setting or removing permissions on both Active Directory accounts (users and groups) and on ESXi local accounts (users only).

Note: If you define a user for the ESXi host by connecting to the host directly, and a user with the same name also exists in vCenter Server, those users are different. If you assign a role to the ESXi user, the vCenter Server user is not assigned the same role.

Predefined ESXi Users and Privileges

If your environment does not include a vCenter Server system, the following users are predefined.

root User

By default each ESXi host has a single root user account with the Administrator role. That root user account can be used for local administration and to connect the host to vCenter Server.

Assigning root user privileges can make it easier to break into an ESXi host because the name is already known. Having a common root account also makes it harder to match actions to users.

For better auditing, create individual accounts with Administrator privileges. Set a highly complex password for the root account and limit the use of the root account, for example, for use when adding a host to vCenter Server. Do not remove the root account. For more information about assigning permissions to a user for an ESXi host, see vSphere Single Host Management - VMware Host Client documentation.

Best practice is to ensure that any account with the Administrator role on an ESXi host is assigned to a specific user with a named account. Use ESXi Active Directory capabilities, which allow you to manage Active Directory credentials.
Important: You can remove the access privileges for the root user. However, you must first create another permission at the root level that has a different user assigned to the Administrator role.
vpxuser User
vCenter Server uses vpxuser privileges when managing activities for the host.

The vCenter Server administrator can perform most of the same tasks on the host as the root user and also schedule tasks, work with templates, and so forth. However, the vCenter Server administrator cannot directly create, delete, or edit local users and groups for hosts. Only a user with Administrator privileges can perform these tasks directly on a host.

You cannot manage the vpxuser user using Active Directory.

Caution: Do not change the vpxuser user in any way. Do not change its password. Do not change its permissions. If you do so, you might experience problems when working with hosts through vCenter Server.
dcui User
The dcui user runs on hosts and acts with Administrator rights. This user’s primary purpose is to configure hosts for lockdown mode from the Direct Console User Interface (DCUI).

This user acts as an agent for the direct console and cannot be modified or used by interactive users.

Deactivating Shell Access for non-root ESXi Users

In vSphere 8.0 and later, you can deactivate shell access for non-root ESXi users, such as the predefined vpxuser and dcui users. By deactivating shell access, you can enhance security by enforcing an "API only" stance for these users.

To deactivate shell access, you can use the esxcli system account set --id user --shell-access false command. The corresponding API is LocalAccountManager.updateUser. You can also use the VMware Host Client to change the Enable Shell Access flag of ESXi local users.

Note: When you deactivate the shell access for a user with administrative access, by virtue of being denied shell access, that user cannot grant shell access to other users, or change the passwords of users that have shell access. Other permissions, such as host profiles, will still allow users such as vpxuser and dcui to change passwords of other users.

When making changes of this kind, verify that they do not break existing third-party workflows.