You can configure vSphere so that identified users can perform only a specific and focused function. This protects your system from errors that might be made by users who are in unfamiliar or sensitive parts of the system's interface.

If you follow the tenets of role-based access control (RBAC), you would create roles for particular job functions, and give each role a subset of permissions or privileges needed to do a function and no more. This protects the system from errors, while simplifying an administrator's task in assigning permissions.

vSphere provides the ability to achieve role-based access control, and includes a large collection of privileges that you can use to create a spectrum of roles. The privileges are described in the vSphere Security documentation. vSphere vCenter Server has nine roles defined. They vary in their functions and level of responsibility.

For this exercise, you create a role with a limited function: the ability to deploy new virtual machines from a template. A user with this role cannot move, modify, or delete a virtual machine, and cannot change the configuration of a host or datastore, for example. One scenario for this role is in an organization that provides virtual machine workstations to new hires, or needs to deploy development servers as new projects come on line. With a virtual machine deployment role in place, the manager can provide the role holder with a list of users and groups and needed virtual machines, and a runbook to follow for the process.