vCenter Server and ESXi hosts use a combination of user name, password, and permissions to authenticate a user for access and authorize activities. You can control access to hosts, clusters, datastores, resource pools, networking port groups, and virtual machines by assigning permissions.

Access to an ESXi host and its resources is granted when a known user with appropriate permissions logs in to the host with a correct password. vCenter Server uses a similar approach when determining whether to grant access to a user.

vCenter Server and ESXi hosts deny access under the following circumstances:

A user not in the user list attempts to log in.

A user enters the wrong password.

A user is in the list but was not assigned permissions.

A user who successfully logged in attempts operations that they do not have permission to perform.

As part of managing ESXi hosts and vCenter Server, you must plan how to handle particular types of users and permissions. ESXi and vCenter Server use sets of privileges, or roles, to control which operations individual users or groups can perform. Predefined roles are provided, but you can also create new ones. You can manage users more easily by assigning them to groups. When you apply a role to the group, all users in the group inherit the role.