A permission is set on an object in the vCenter Server object hierarchy. Each permission associates the object with a group or user and the group's or user's access role. For example, you can select a virtual machine object, add one permission that gives the ReadOnly role to Group 1, and add a second permission that gives the Administrator role to User 2.

By assigning a different role to a group of users on different objects, you control the tasks that those users can perform in your vSphere environment. For example, to allow a group to configure memory for the host, select that host and add a permission that grants a role to that group that includes the Host.Configuration.Memory Configuration privilege.

For conceptual information about permissions, see the discussion in Understanding the Object-Level Permission Model.

You can assign permissions to objects at different levels of the hierarchy, for example, you can assign permissions to a host object or to a folder object that includes all host objects. See Hierarchical Inheritance of Permissions in vSphere. You can also assign propagating permissions to a global root object to apply the permissions to all object in all solutions. See Using vCenter Server Global Permissions.

Add a Permission to an Inventory Object

After you create users and groups and define roles, you must assign the users and groups and their roles to the relevant inventory objects. You can assign the same propagating permissions to multiple objects simultaneously by moving the objects into a folder and setting the permissions on the folder.

When you assign permissions, the user and the group names must match Active Directory precisely, including case. If you upgraded from earlier versions of vSphere, check for case inconsistencies if you experience problems with groups.


On the object whose permissions you want to modify, you must have a role that includes the Permissions.Modify permission privilege.


  1. Browse to the object for which you want to assign permissions in the vSphere Client object navigator.
  2. Click the Permissions tab.
  3. Click Add.
  4. (Optional) If you have configured an external identity provider for federated authentication, the domain of that identity provider is available to select in the Domain drop-down menu.
  5. If you select VMware ID from the Domain drop-down menu, enter the user or group name.

    Enter the email address of the CSP account in the Username field. CSP accounts cannot be searched for in the VMwareID domain.

  6. Select the user or group that will have the privileges defined by the selected role.
    1. From the Domain drop-down menu, select the domain for the user or group.
    2. Enter a name in the Search box.
      The system searches user names and group names.
    3. Select the user or group.
  7. Select a role from the Role drop-down menu.
  8. (Optional) To propagate the permissions, select the Propagate to children check box.
    The role is applied to the selected object and propagates to the child objects.
  9. Click OK.

Change or Remove Permissions on an Inventory Object

After a user or group and role pair is set for an inventory object, you can change the role paired with the user or group or change the setting of the Propagate to children check box. You can also remove the permission setting.


  1. Browse to the object in the vSphere Client object navigator.
  2. Click the Permissions tab.
  3. Click a row to select a permission.
    Task Steps
    Change permissions
    1. Click Edit.
    2. Select a role for the user or group from the Role drop-down menu.
    3. Toggle the Propagate to children check box to change permission inheritance.
    4. Click OK.
    Remove permissions
    1. Click Delete.
    2. Click Remove.

Change vCenter Server User Validation Settings

vCenter Server periodically validates its user and group lists against the users and groups in the user directory. It then removes users or groups that no longer exist in the domain. You can deactivate validation or change the interval between validations. If you have domains with thousands of users or groups, or if searches take a long time to complete, consider adjusting the search settings.

These settings apply to vCenter Single Sign-On identity sources, and not an external identity source, such as Active Directory, that might be associated with vCenter Server.

Note: This procedure applies only to vCenter Server user lists. You cannot search ESXi user lists in the same way.


  1. Browse to the vCenter Server system in the vSphere Client object navigator.
  2. Select Configure and click Settings > General.
  3. Click Edit and select User directory.
  4. Change the values as needed and click Save.
    Option Description
    User directory timeout Timeout interval, in seconds, for searching this vCenter Server installation.
    Query limit Toggle on to set a maximum number of users and groups that vCenter Server displays.
    Query limit size Maximum number of users and groups from the selected domain that vCenter Server displays in the Select Users or Groups dialog box. If you enter 0 (zero), all users and groups appear.