A privilege is a system-defined requirement associated with a VMware vSphere object. Privileges are defined by VMware. Privileges are static, and do not change for a single version of a product. Each managed object has one or more privileges that a principal (user, group member) must have to invoke an operation or to view a property. For example, managed entities such as Folder and VirtualMachine require the principal to have the System.Read privilege on the entity to view the values of its properties.

The vSphere API Reference includes information about privileges required to invoke operations and to view properties on the Required Privileges labels on the documentation page for each managed object. Privileges for vSphere components are defined as follows:

<group>[.<group>].privilege

For example:

Datacenter.Create
Host.Config.Connection
Host.Config.Snmp

A privilege might be specific to vCenter Server or to ESXi systems. For example, the Alarm.Create privilege is defined on vCenter Server. Setting alarms is done through the AlarmManager service interface, which requires a running vCenter Server system.

Privilege requirements apply to system objects regardless of how a given client application attempts to access server content (vSphere Client, CLI, or SDK). For example, you can use the following URL to access virtual machine datastore files:

https://<hostname>/folder[/<path>]/?dcPath=<datacenter_path>[&dsName=<datastore_name>]

The URL accesses a Datastore object in the inventory. You must have privileges to access each object in the hierarchy, corresponding to the elements of the URL.