vCenter Server and ESX grant access to objects only to users who are assigned permissions for the object. When you assign a user or group permissions for the object, you do so by pairing the user or group with a role. A role is a predefined set of privileges.

ESX hosts provide three default roles, and you cannot change the privileges associated with these roles. Each subsequent default role includes the privileges of the previous role. For example, the Administrator role inherits the privileges of the Read Only role. Roles you create yourself do not inherit privileges from any of the default roles.

You can create custom roles by using the role-editing facilities in the vSphere Client to create privilege sets that match your user needs. If you use the vSphere Client connected to vCenter Server to manage your ESX hosts, you have additional roles to choose from in vCenter Server. Also, the roles you create directly on an ESX host are not accessible within vCenter Server. You can work with these roles only if you log in to the host directly from the vSphere Client.

If you manage ESX hosts through vCenter Server, maintaining custom roles in the host and vCenter Server can result in confusion and misuse. In this type of configuration, maintain custom roles only in vCenter Server.

You can create roles and set permissions through a direct connection to the ESX host. Because most users create roles and set permissions in vCenter Server, see the VMware vSphere Datacenter Administration Guide for information on working with permissions and roles.