By default, the vCenter Server Administrator role allows users to interact with files and programs within a virtual machine's guest operating system. To reduce the risk of breaching guest confidentiality, availability, or integrity, create a non-guest access role without the Guest Operations privilege.

Apply the role to users who require administrator privileges, but who are not authorized to interact with files and programs within a guest operating system.

Verify that you have vCenter Server Administrator privileges on the vCenter Server system where you create the role.

1

Log in to the vSphere Web Client as a user who has vCenter Server Administrator privileges on the system where you will create the role.

2

Click Administration and click Access > Role Manager.

3

Click the Create role icon and enter a name for the role.

For example, enter Administrator No Guest Access.

4

Select All Privileges.

5

Remove the Guest Operations set of privileges by deselecting All Privileges.Virtual machine.Guest Operations.

6

Click OK.

Assign users who require Administrator privileges without guest access privileges to the newly created role, ensuring that these users are removed from the default Administrator role.