Manage roles, users and permissions on VMware vSphere 6.7

3. Manage permissions on different objects

As explained at the beginning of this tutorial, rights management is based on: roles, users and the object from which the desired authorization will be applied.
As you will see below, permissions can be added to all types of existing objects (such as data centers, ESXi hosts, VMs, ...) in VMware vCenter Server, but also overall.

To add permissions to a particular object (whatever it may be), simply select it in the left column, then go to its "Permissions" tab.
Next, click on the "+" icon located each time above the list of permissions defined on the desired object.

3.1. Manage global permissions

The first possibility to manage authorizations for your different users is to add global authorizations.
To do this, go to the vSphere Client menu and click: Administration.
Next, go to the section: Access Control -> Global Permissions.

As you can see, by default, permissions are already defined for the users Administrator, AutoUpdate, vpxd-xxxxx, ... of the SSO domain "vsphere.local" (which is the example offered by default by VMware when installation of VMware vCenter Server or VCSA).
You can also see that the Administrator role (= full rights) is granted by default to the user "VSPHERE.LOCAL\Administrator" (= Administrator@vsphere.local), as well as to the "Administrators" group of the same domain SSO.

To add a new global permission, click the "+" icon located just above the table.

Using the "Add Permission" form that appears for the global permissions root (in this case), you will be able to:

• User - vsphere.local: select the user's domain. Default: vsphere.local.
  But if your VMware vCenter Server is linked to an Active Directory domain or an additional identity source has been added to it, you will find your Active Directory (or LDAP) domain in this list.
• User - search: search for the desired user in the domain selected just above.
• Role: select the role to assign to this user for this global permission.
• Propagate to children: allows you to apply this global permission also to all children (in this case: all objects in the inventory of your vCenter Server).
  If this box is unchecked, the affected user or group will only have access to certain global features and will not be able to access your vCenter Server inventory.

Source : Add a Global Permission.

3.2. Manage permissions on a VMware vCenter Server (or VCSA)

To add permissions on a VMware vCenter Server (or VCSA), go to the menu, then click: Hosts and Clusters.
Select your VMware vCenter Server (or VCSA) and go to its "Permissions" tab.
Next, click the "+" icon at the top of the list of permissions currently set on this object or globally.

As you can see, the form is exactly the same as for global permissions, but this time VMware vCenter Server tells you on the right that this permission will be applied to the desired "[vCenter Server name]" object. .
If you check the "Propagate to children" box, this permission will apply to the current object (in this case: the desired vCenter Server), as well as its child objects: data centers, folders (if applicable), the hosts located there, ...

If you need to apply this permission on this object and its children, except some children, remember that a "No Access" role exists.
For this particular case, simply add a permission with the "No Access" role for the same user on the child objects to which you do not want the permission defined on the vCenter Server to apply.

3.3. Manage permissions on a data center

To add permissions to a data center, go to the menu, then click on "Hosts and Clusters" or "VMs and Templates".
Select the desired data center and go to its "Permissions" tab.
Next, click the "+" icon located at the top of the list of permissions displayed.

3.4. Manage permissions on a VMware ESXi hosts folder

To add permissions to a VMware ESXi hosts folder, go to the menu, then click: Hosts and Clusters.
Select the desired folder and go to the "Permissions" tab there.
Next, click the "+" icon located at the top of the list of permissions displayed.

This will allow you to apply privileges (via a previously created and configured role) on several VMware ESXi hosts, its virtual machines, ... if you check the "Propagate to children" box and the privileges defined in the selected role allow it.

3.5. Manage permissions on a VMware ESXi host (hypervisor)

To add permissions on a VMware ESXi host (hypervisor), go to the menu, then click: Hosts and Clusters.
Select the desired VMware ESXi host and go to its "Permissions" tab.
Next, click the "+" icon located at the top of the list of permissions displayed.

3.6. Manage permissions on a virtual machine (VM)

To add permissions to a virtual machine (VM), go to the menu, then click "Hosts and Clusters" or "VMs and Templates".
Select the desired virtual machine and go to its "Permissions" tab.
Next, click the "+" icon located at the top of the list of permissions displayed.

3.7. Manage permissions on a virtual machine (VM) folder

Creating folders in the 2nd tab (VMs and Templates) will allow you to apply permission to several virtual machines (VMs) at once.
To access this "VMs and Templates" section, go to the menu, then click on: VMs and Templates.
Select the desired folder and go to the "Permissions" tab there.
Next, click the "+" icon located at the top of the list of permissions displayed.

Note that the "Propagate to children" box of the added permission must be checked so that it also concerns the virtual machines located in the desired folder.

3.8. Manage permissions on a datastore

To add permissions to a datastore, go to the menu, then click: Storage.
Select the desired datastore and go to its "Permissions" tab.
Next, click the "+" icon located at the top of the list of permissions displayed.

3.9. Manage permissions on a virtual network

To add permissions on a virtual network, go to the menu, then click: Networking.
Select the desired virtual network and go to the "Permissions" tab there.
Next, click the "+" icon located at the top of the list of permissions displayed.