Authentication and authorization govern access to your vSphere environment. vCenter Single Sign-On supports authentication, which means it determines whether a user can log in to vSphere components at all. Each user must also be authorized to view or manipulate vSphere objects.

For an overview of assigning roles and permissions using the vSphere Client, watch the following video.

vCenter Server allows fine-grained control over authorization with permissions and roles. When you assign a permission to an object in the vCenter Server object hierarchy, you specify which user or group has which privileges on that object. To specify the privileges, you use roles, which are sets of privileges.

Initially, only the administrator user for the vCenter Single Sign-On domain is authorized to log in to the vCenter Server system. The default domain is vsphere.local and the default administrator is administrator@vsphere.local. You can change the default domain during installation of vSphere.

As an administrator user, you can:

  1. Add an identity source in which users and groups are defined to vCenter Single Sign-On. See the vSphere Authentication documentation.
  2. Give privileges to a user or group by selecting an object such as a virtual machine or a vCenter Server system and assigning a role on that object for the user or group.