--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools



Recently Changed Pages:

View All Pages

View All Tags

WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.

Pages with comments

2019/11/18 13:52 1 Comment

View All Comments


VMware Permissions and Roles

Default Roles ESX and vCenter

These are the default roles that exist on ESX and vCenter.

Note: These roles do not get synchronized between ESX and vCenter. ESX roles are in place when you connect directly to the host and vCenter roles are in place when you connect to vCenter.

^ Role ^ Available ESX ^ Available vCenter ^ Description |

No Access Yes Yes Cannot view or change the assigned object. vSphere Client tabs associated with an object appear without content.
Can be used to revoke permissions that would otherwise be propagated to an object from a parent object.
Read Only Yes Yes View the state and details about the object. View all tab panels in the vSphere Client except the Console tab.
Cannot perform any actions through the menus and toolbars.
Administrator Yes Yes All privileges for all objects. Add, remove and set access rights and privileges for all users and all objects.
Virtual Machine Power User No yes A set of privileges to allow the user to interact with and make hardware changes to VMs, as well as snapshot operations.
Usually granted on folders that contain VMs.
Virtual Machine User No Yes A set of privileges to allow the user to interact with a VMs Console, insert media and perform power operations. Does not allow hardware changes.
Usually granted on folders that contain VMs.
Resource Pool Administrator No Yes A set of privileges to allow the user to create child resource pools and modify the configuration of the children,
but not to modify the configuration of the pool or cluster on which the role was granted.
Also allows the user to grant permissions to child resource pools, and assign virtual machines to the parent or child resource pools.
Additional privileges must be granted on VMs and datastores to allow provisioning of new virtual machines.
Usually granted on a cluster or resource pool.
VMware Consolidated Backup User No Yes Used by the VMware Consolidated Backup product. Do not modify.
Datastore Consumer No Yes A set of privileges to allow the user to consume space on datastores on which the role is granted. To perform a space-consuming operation,
such as creating a virtual disk or taking a snapshot, the user must also have the appropriate VM privileges granted for these operations.
Usually granted on a datastore or a folder of datastores.
Network Consumer No Yes A set of privileges to allow the user to assign VMs or hosts to networks, if the appropriate permissions for the assignment are also granted on the VMs or hosts.
Usually granted on a network or a folder of networks.

Default Users ESX and vCenter

vCenter Server Users

Authorized users for vCenter Server are those included in the Windows domain list referenced by vCenter Server or local Windows users on the vCenter Server system. The permissions defined for these users apply whenever a user connects to vCenter Server. You cannot use vCenter Server to manually create, remove, or otherwise change vCenter Server users. To manipulate the user list or change user passwords, use the same tools that you use to manage your Windows domain or Active Directory. For more information about creating users and groups for use with vCenter Server, see your Microsoft documentation.
Changes that you make to the Windows domain are reflected in vCenter Server. Because you cannot directly manage users in vCenter Server, the user interface does not provide a user list for you to review. You see these changes only when you select users to configure permissions.
vCenter Servers connected in a Linked Mode group use Active Directory to maintain the list of users, allowing all vCenter Server systems in the group to share a common set of users.

ESX Users


The root user has full administrative privileges. Administrators use this log in and its associated password to log in to a host through the vSphere Client. Root users have a complete range of control activities on the specific host that they are logged on to, including manipulating permissions, creating groups and users (on ESX/ESXi hosts only), working with events, and so on.


The vpxuser user is a vCenter Server entity with root rights on the ESX/ESXi host, allowing it to manage activities for that host. The vpxuser is created at the time that an ESX/ESXi host is attached to vCenter Server. It is not present on the ESX host unless the host is being managed through vCenter Server.

Revoking Permissions

Remove Roles

When you remove a role that is not assigned to any users or groups, the definition is removed from the list of roles. When you remove a role that is assigned to a user or group, you can remove assignments or replace them with an assignment to another role.
If you remove a role from a vCenter Server system that is part of a connected group in Linked Mode, check the use of that role on the other vCenter Server systems in the group. Removing a role from one vCenter Server system removes the role from all other vCenter Server systems in the group, even if you reassign permissions to another role on the current vCenter Server system.


  • If a user or group does not have other permissions assigned when a role is removed, they lose all privileges.
  • Any operation that consumes storage space, such as creating a virtual disk or taking a snapshot, requires the “Datastore.Allocate Space” privilege on the target datastore, as well as the privilege to perform the operation itself.
  • Moving an object in the inventory hierarchy requires appropriate privileges on the object itself, the source parent object (such as a folder or cluster), and the destination parent object.
  • Each host and cluster has its own implicit resource pool that contains all the resources of that host or cluster. Deploying a virtual machine directly to a host or cluster requires the “Resource Assign Virtual Machine to Resource Pool” privilege.

Permission Propagation

This is the overview of possible permission propagation: permissionpropagation.jpg

Permissions applied on a child object always override permissions that are applied on a parent object. Virtual machine folders and resource pools are equivalent levels in the hierarchy. If you assign propagating permissions to a user or group on a virtual machine's folder and its resource pool, the user has the privileges propagated from the resource pool and from the folder.
If multiple group permissions are defined on the same object and the user belongs to two or more of those groups, two situations are possible:

  • If no permission is defined for the user on that object, the user is assigned the set of privileges assigned to the groups for that object.
  • If a permission is defined for the user on that object, the user's permission takes precedence over all group permissions.

Permission Validation

vCenter Server and ESX/ESXi hosts that use Active Directory regularly validate users and groups against the Windows Active Directory domain. Validation occurs whenever the host system starts and at regular intervals specified in the vCenter Server settings.
For example, if user Smith was assigned permissions and in the domain the user’s name was changed to Smith2, the host concludes that Smith no longer exists and removes permissions for that user when the next validation occurs.
Similarly, if user Smith is removed from the domain, all permissions are removed when the next validation occurs. If a new user Smith is added to the domain before the next validation occurs, the new user Smith receives all the permissions the old user Smith was assigned.

Note: Validation period is every 24 hours.


Enter your comment. Wiki syntax is allowed:
R᠎ R E O E
esxpermissions.txt · Last modified: 2019/11/18 12:22 (external edit)