A role is a predefined set of privileges. Privileges define basic individual rights required to perform actions and read properties.

When you assign a user or group permissions, you pair the user or group with a role and associate that pairing with an inventory object. A single user might have different roles for different objects in the inventory. For example, if you have two resource pools in your inventory, Pool A and Pool B, you might assign a particular user the Virtual Machine User role on Pool A and the Read Only role on Pool B. This would allow that user to power on virtual machines in Pool A, but not those in Pool B, although the user would still be able to view the status of the virtual machines in Pool B.

The roles created on an ESX/ESXi host are separate from the roles created on a vCenter Server system. When you manage a host using vCenter Server, only the roles created through vCenter Server are available. If you connect directly to the host using the vSphere Client, only the roles created directly on the host are available.

vCenter Server and ESX/ESXi hosts provide default roles:

System roles

System roles are permanent. You cannot edit the privileges associated with these roles.

Sample roles

VMware provides sample roles for convenience as guidelines and suggestions. You can modify or remove these roles.

You can also create completely new roles.

All roles permit the user to schedule tasks by default. Users can schedule only tasks they have permission to perform at the time the tasks are created.


Changes to permissions and roles take effect immediately, even if the users involved are logged in, except for searches, where permissions changes take effect after the user has logged out and logged back in again.