By default, a user who has the vCenter Server Administrator role can interact with files and applications within the guest operating system of a virtual machine. To reduce the risk of breaching guest confidentiality, availability, or integrity, create a nonguest access role without the Virtual machine.Guest operations privilege. Assign that role to administrators who do not need virtual machine file access.

For security, be as restrictive about allowing access to the virtual data center as you are to the physical data center. Apply a custom role that does not include the Virtual machine.Guest operations privilege to users who require administrator privileges, but who are not authorized to interact with guest operating system files and applications.

For example, a configuration might include a virtual machine on the infrastructure that has sensitive information on it.

If tasks such as vMotion migration require that data center administrators can access the virtual machine, deactivate some remote guest operating system operations to ensure that those administrators cannot access sensitive information.


Verify that you have Administrator privileges on the vCenter Server system where you create the role.


  1. Log in to the vSphere Client as a user who has Administrator privileges on the vCenter Server system where you want to create the role.
  2. Select Administration and click Roles.
  3. Click the Administrator role and click Clone.
  4. Enter a role name and description and click OK.
    For example, enter Administrator No Guest Access.
  5. Select the cloned role and click the Edit.
  6. Under the Virtual machine privilege, deselect Guests operations.
  7. Click Save.

What to do next

Select the vCenter Server system or the host and assign a permission that pairs the user or group that should have the new privileges to the newly created role. Remove those users from the Administrator role.