In the vSphere Web Client, groups listed on the Groups tab are internal to vCenter Single Sign On. A group lets you create a container for a collection of group members called principals.

When you add a Single Sign On group with the Single Sign On administration tool, the group is stored in the Single Sign On database. The database runs on the system where Single Sign On is installed. These groups are part of the identity source System-Domain.

Group members can be users or other groups, and a group can contain members from across multiple identity sources. After you create a group and add principals, you apply permissions to the group. Members of the group inherit the group permissions.


Browse to Administration > Access > SSO Users and Groups in the vSphere Web Client.


Select the Groups tab and click the New Group icon.


Enter a name and description for the group.

You cannot change the group name after you create the group.


Click OK.

Add principals (members) to the group.

Assign permissions to the group.