A vCenter Single Sign-On administrator user can manage users and groups in the vsphere.local domain from the vSphere Web Client.

The vCenter Single Sign-On administrator user can perform the following tasks.

Users listed on the Users tab in the vSphere Web Client are internal to vCenter Single Sign-On and belong to the vsphere.local domain.

When a vCenter Single Sign-Onuser account is disabled, the user cannot log in to the vCenter Single Sign-On server until the account is enabled by an administrator. You can disable and enable users from the vSphere Web Client interface.

You can delete users that are in the vsphere.local domain from the vCenter Single Sign-On. You cannot delete local operating system users or users in another domain from the vSphere Web Client.

You can change the password or other details of a vCenter Single Sign-On user from the vSphere Web Client. You cannot rename users in the vsphere.local domain. That means you cannot rename administrator@vsphere.local.

In the vCenter Single Sign-On, groups listed on the Groups tab are internal to vCenter Single Sign-On. A group lets you create a container for a collection of group members (principals).

Members of a vCenter Single Sign-On group can be users or other groups from one or more identity sources. You can add new members from the vSphere Web Client.

You can remove members from a vCenter Single Sign-On group from the vSphere Web Client. When you remove a member (user or group) from a local group, you do not delete the member from the system.

vCenter Single Sign-On displays solution users. A solution user is a collection of services. Several vCenter Server solution users are predefined and authenticate to vCenter Single Sign-On as part of installation. In troubleshooting situations, for example, if an uninstall did not complete cleanly, you can delete individual solution users from the vSphere Web Client.

Users in the vsphere.local domain can change their vCenter Single Sign-On passwords from the vSphere Web Client. Users in other domains change their passwords following the rules for that domain. You can change a vCenter Single Sign-On password from the vSphere Web Client.