You can use ESXCLI commands to manage permissions.

Starting with vSphere 6.0, a set of ESXCLI commands allows you to perform the following operations.

Give permissions to local users and groups by assigning them one of the predefined roles.

Give permissions to Active Directory users and groups if your ESXi host has been joined to an Active Directory domain by assigning them one of the predefined roles.


When you manage local users on your ESXi host, you are not affecting the vCenter Server users.

You can list, remove, and set permissions for a user or group, as shown in the following example.


List permissions.

esxcli system permission list

The system displays permission information. The second column indicates whether the information is for a user or group.

Principal            Is Group  Role
ABCDEFGH\esx^admins  true      Admin
dcui                 false     Admin
root                 false     Admin
vpxuser              false     Admin
test1                false     ReadOnly

Set permissions for a user or group. Specify the ID of the user or group, and set the --group option to true to indicate a group. Specify one of three roles, Admin, ReadOnly or NoAccess.

esxcli system permission set --id test1 -r ReadOnly

Remove permissions for a user or group.

esxcli system permission unset --id test1

You can manage accounts by using the following commands.

esxcli system account add
esxcli system account set
esxcli system account list
esxcli system account remove