Identify common vCenter Server privileges and roles


Identify common vCenter Server privileges and roles
Privileges are independent units of security in vSphere. Each privilege:
  • describes a basic action that can be performed on one or more of the vSphere entities
  • has the ability to perform a specific action or read a specific property
Examples include powering on a virtual machine and creating an alarm.

Privileges define individual rights that a user requires to perform actions and read properties.
One or more privileges are bundled together to form a role. A role is a predefined set of privileges.

A role is a named set of one or more privileges and it is used to grant users or groups access to managed entities. A role is normally defined for a group of people who have common responsibilities in the system, for example, administrators. Each role can have zero to multiple privileges.

Roles provide a way to aggregate all the individual privileges that are required to perform a higher-level task, such as administer a virtual machine.

With these roles you can assign permissions on vSphere objects. An object is an entity upon which actions are performed. Examples of objects are datacenters, folders, resource pools, clusters, hosts, and virtual machines.

vCenter Server and ESXi hosts provide two default role types:

System roles Permanent roles. You cannot edit the privileges associated with these roles.
Sample roles Pre-defined roles created for convenience as guidelines and suggestions. You can modify or remove these roles.

You can also create new, user-defined roles.


Role Type

Description of User Capabilities

No Access


Cannot view or change the assigned object. vSphere Can be used to revoke permissions that would otherwise be propagated to an object from a parent object.

Read Only


View the state and details about the object. View all the tab panels in the vSphere Client except the Console tab. Cannot perform any actions through the menus and toolbars.



All privileges for all objects. Add, remove, and set access rights and privileges for all the vCenter Server users and all the virtual objects in the vSphere environment.
NOTE Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role.

Virtual Machine Power User


A set of privileges to allow the user to interact with and make hardware changes to virtual machines, as well as perform snapshot operations.

Usually granted on a folder that contains virtual machines or on individual virtual machines. Available on vCenter Server

Virtual Machine User


A set of privileges to allow the user to interact with a virtual machine’s console, insert media, and perform power operations. Does not grant privileges to make virtual hardware changes to the virtual machine.

Usually granted on a folder that contains virtual machines or on
individual virtual machines. Available on vCenter Server

Resource Pool


A set of privileges to allow the user to create child resource pools and
modify the configuration of the children, but not to modify the resource configuration of the pool or cluster on which the role was granted.

Usually granted on a cluster or resource pool.
Available on vCenter Server.

Datastore Consumer


A set of privileges to allow the user to consume space on the datastores on which this role is granted.

Usually granted on a datastore or a folder of datastores.
This role is available on vCenter Server.

Network Consumer


A set of privileges to allow the user to assign virtual machines or hosts to networks, if the appropriate permissions for the assignment are also granted on the virtual machines or hosts.

Usually granted on a network or folder of networks.
Available on vCenter Server.


When you assign a user or group permissions, you pair the user or group (principal) with a role and associate that pairing with an inventory object.

A single user might have different roles for different objects in the inventory. For example, if you have two resource pools in your inventory, Pool A and Pool B, you might assign a particular user the Virtual Machine User role on Pool A and the Read Only role on Pool B.

The roles created on an ESX/ESXi host are separate from the roles created on a vCenter Server system. When you manage a host using vCenter Server, the roles created through vCenter Server are available. If you connect directly to the host using the vSphere Client, the roles created directly on the host are available.

In vSphere, a permission consists of a user or group and an assigned role for an inventory object, such as a virtual machine or ESX/ESXi host. Permissions grant users the right to perform the activities specified by the role on the object to which the role is assigned.

The list of privileges is the same for both ESXi and vCenter Server, and you use the same method to configure permissions.

You can create roles and set permissions through a direct connection to the ESXi host.

When you assign a permission to an object, you can choose whether each permission propagates down the object hierarchy. Permissions defined for a child object always override the permissions that are propagated from parent objects.

Most inventory objects inherit permissions from a single parent object in the hierarchy. Some, like virtual machines inherit permissions from both the parent virtual machine folder and the parent host, cluster, or resource pool simultaneously.

To restrict a user’s privileges on a virtual machine, you must set permissions on both the parent folder and the parent host, cluster, or resource pool for that virtual machine.

Objects can have multiple permissions.
Each user or group can have only one permission.

Permissions applied on a child object always override permissions that are applied on a parent object.