vSphere provides access control to managed objects by using user and group permissions and roles.

Each user logs in to a vCenter Server system through the vSphere Client. Each user is identified to the server as someone who has rights and privileges to selected objects, such as datacenters and virtual machines, within the vSphere environment. The vCenter Server system has full rights and privileges on all hosts and virtual machines within the vSphere environment. The server passes on only those actions and requests from a user that the user has permission to perform. Access privileges affect which vSphere Client objects appear in the inventory.

The server determines which access privileges and requests to allow based on the role assigned to the user or the user’s group on each object. vCenter Server administrators can create custom roles with specific sets of privileges, as well as use the sample roles that vCenter Server provides.

Users and Groups

Created through the Windows domain or Active Directory database or on the ESX/ESXi host. The server, vCenter Server or ESX/ESXi, registers users and groups as part of the assigning privileges process.


A set of access rights and privileges. Selected sample roles exist. You can also create roles and assign combinations of privileges to each role.


A permission consists of a user or group and a role assigned to a particular inventory object.