Defining users, groups, roles, and permissions lets you control who has access to your vSphere managed objects and what actions they can perform.

vCenter Server and ESX/ESXi hosts determine the level of access for the user based on the permissions that you assign to the user. The combination of user name, password, and permissions is the mechanism by which vCenter Server and ESX/ESXi hosts authenticate a user for access and authorize the user to perform activities. The servers and hosts maintain lists of authorized users and the permissions assigned to each user.

Privileges define individual rights that are required for a user to perform actions and read properties. ESX/ESXi and vCenter Server use sets of privileges, or roles, to control which users or groups can access particular vSphere objects. ESX/ESXi and vCenter Server provide a set of preestablished roles. You can also create roles.

The privileges and roles assigned on an ESX/ESXi host are separate from the privileges and roles assigned on a vCenter Server system. When you manage a host using vCenter Server, only the privileges and roles assigned through the vCenter Server system are available. If you connect directly to the host using the vSphere Client, only the privileges and roles assigned directly on the host are available.