Many tasks require permissions on multiple objects in the vSphere inventory. If the user who attempts to perform the task only has privileges on one object, the task cannot complete successfully.
The following table lists common tasks that require more than one privilege. You can add permissions to inventory objects by pairing a user with one of the predefined roles or with multiple privileges. If you expect that you must assign a set of privileges multiple times, create custom roles. To learn more about required privileges for common tasks, see Privilege Recorder.
Refer to the vSphere Web Services API Reference documentation to learn how operations in the vSphere Client user interface map to API calls, and what privileges are required to perform operations. For example, the API documentation for the AddHost_Task(addHost) method specifies that the Host.Inventory.AddHostToCluster privilege is required to add a host to a cluster.
If the task that you want to perform is not in this table, the following rules explain where you must assign permissions to allow particular operations:
- Any operation that consumes storage space requires the privilege on the target datastore, and the privilege to perform the operation itself. You must have these privileges, for example, when creating a virtual disk or taking a snapshot.
- Moving an object in the inventory hierarchy requires appropriate privileges on the object itself, the source parent object (such as a folder or cluster), and the destination parent object.
- Each host and cluster has its own implicit resource pool that contains all the resources of that host or cluster. Deploying a virtual machine directly to a host or cluster requires the privilege.
| Task | Required Privileges | Applicable Role |
|---|---|---|
| Create a virtual machine | On the destination folder or data center:
|
Administrator |
| On the destination host, cluster, or resource pool:
|
Resource pool administrator or Administrator | |
| On the destination datastore or the folder that contains the datastore:
|
Datastore Consumer or Administrator | |
| On the network that the virtual machine will be assigned to:
|
Network Consumer or Administrator | |
| Power on a virtual machine | On the data center in which the virtual machine is deployed:
|
Virtual Machine Power User or Administrator |
| On the virtual machine or folder of virtual machines:
|
||
| Deploy a virtual machine from a template | On the destination folder or data center:
|
Administrator |
| On a template or folder of templates:
|
Administrator | |
| On the destination host, cluster or resource pool:
|
Administrator | |
| On the destination datastore or folder of datastores:
|
Datastore Consumer or Administrator | |
| On the network that the virtual machine will be assigned to:
|
Network Consumer or Administrator | |
| Take a virtual machine snapshot | On the virtual machine or a folder of virtual machines:
|
Virtual Machine Power User or Administrator |
| Move a virtual machine into a resource pool | On the virtual machine or folder of virtual machines:
|
Administrator |
| On the destination resource pool:
|
Administrator | |
| Install a guest operating system on a virtual machine | On the virtual machine or folder of virtual machines:
|
Virtual Machine Power User or Administrator |
| On a datastore that contains the installation media ISO image: (if installing from an ISO image on a datastore) On the datastore to which you upload the installation media ISO image: |
Virtual Machine Power User or Administrator | |
| Migrate a virtual machine with vMotion | On the virtual machine or folder of virtual machines:
|
Resource Pool Administrator or Administrator |
| On the destination host, cluster, or resource pool (if different from the source):
|
Resource Pool Administrator or Administrator | |
| Cold migrate (relocate) a virtual machine | On the virtual machine or folder of virtual machines:
|
Resource Pool Administrator or Administrator |
| On the destination host, cluster, or resource pool (if different from the source):
|
Resource Pool Administrator or Administrator | |
| On the destination datastore (if different from the source):
|
Datastore Consumer or Administrator | |
| Migrate a virtual machine with Storage vMotion | On the virtual machine or folder of virtual machines:
|
Resource Pool Administrator or Administrator |
| On the destination datastore:
|
Datastore Consumer or Administrator | |
| Move a host into a cluster | On the host:
|
Administrator |
| On the destination cluster:
|
Administrator | |
| Add a single host to a data center by using the vSphere Client, or add a single host to a cluster by using PowerCLI or API (leveraging the addHost API) | On the host: |
Administrator |
| On the cluster:
|
Administrator | |
| On the data center: |
Administrator | |
| Add multiple hosts to a cluster | On the cluster:
|
Administrator |
| On the parent data center of the cluster (with propagate):
|
Administrator | |
| Encrypt a virtual machine | Encryption tasks are possible only in environments that include vCenter Server. In addition, the ESXi host must have encryption mode enabled for most encryption tasks. The user who performs the task must have the appropriate privileges. A set of Cryptographic Operations privileges allows fine-grained control. See Prerequisites and Required Privileges for Virtual Machine Encryption Tasks. |
Administrator |
| Protect a virtual machine (if using vSphere+ to protect the virtual machine) | On the data center in which the virtual machine is deployed:
|
Administrator |
