A role is a predefined set of privileges. Privileges define rights to perform actions and read properties. For example, the Virtual Machine Administrator role consists of read properties and of a set of rights to perform actions. The role allows a user to read and change virtual machine attributes.

When you assign permissions, you pair a user or group with a role and associate that pairing with an inventory object. A single user or group can have different roles for different objects in the inventory.

For example, if you have two resource pools in your inventory, Pool A and Pool B, you can assign a particular user the Virtual Machine User role on Pool A and the Read Only role on Pool B. These assignments allow that user to turn on virtual machines in Pool A, but to only view virtual machines in Pool B.

vCenter Server provides system roles and sample roles by default:

System roles

System roles are permanent. You cannot edit the privileges associated with these roles.

Sample roles

VMware provides sample roles for certain frequently performed combination of tasks. You can clone, modify or remove these roles.

Note

To avoid losing the predefined settings in a sample role, clone the role first and make modifications to the clone. You cannot reset the sample to its default settings.

Users can schedule only tasks if they have a role that includes privileges to perform that task at the time the tasks are created.

Note

Changes to roles and privileges take effect immediately, even if the users involved are logged in. The exception is searches, where changes take effect after the user has logged out and logged back in.

You can create custom roles for vCenter Server and all object it manages, or for individual hosts.

vCenter Server Custom Roles (Recommended)

Create custom roles by using the role-editing facilities in the vSphere Web Client to create privilege sets that match your needs.

ESXi Custom Roles

You can create custom roles for individual hosts by using a CLI or the vSphere Client. See the vSphere Administration with the vSphere Client documentation. Custom host roles are not accessible from vCenter Server.

If you manage ESXi hosts through vCenter Server, maintaining custom roles in both the host and vCenter Server can result in confusion and misuse. In most cases, defining vCenter Server roles is recommended.

When you manage a host using vCenter Server, the permissions associated with that host are created through vCenter Server and stored on vCenter Server. If you connect directly to a host, only the roles that are created directly on the host are available.

Note

When you add a custom role and do not assign any privileges to it, the role is created as a Read Only role with three system-defined privileges: System.Anonymous, System.View, and System.Read.