Users and Groups in the vSphere Environment
Users, groups, and roles control who has access to vSphere components and what actions each user can perform. User management is discussed in detail in the vSphere Security documentation.
Important You cannot use vicfg-user to create roles. You can manage system-defined roles.
vCenter Server and ESXi systems authenticate a user with a combination of user name, password, and permissions. Servers and hosts maintain lists of authorized users and the permissions assigned to each user.
Privileges define basic individual rights that are required to perform actions and retrieve information. ESXi and vCenter Server use sets of privileges, or roles, to control which users or groups can access particular vSphere objects. ESXi and vCenter Server provide a set of pre-established roles.
The privileges and roles assigned on an ESXi host are separate from the privileges and roles assigned on a vCenter Server system. When you manage a host by using vCenter Server system, only the privileges and roles assigned through the vCenter Server system are available. If you connect directly to the host by using the vSphere Client, only the privileges and roles assigned directly on the host are available.