Permissions specify the privileges (tasks a user can perform) an authenticated user or group has on a specific vCenter Server object and can be assigned on different levels of a hierarchy. For example, you can assign permissions to a cluster object or to a data center object. The best practice is to assign only needed permissions, to increase security and to have a clearer permissions structure. The use of folders to group objects based on specific permissions makes the vSphere administration simpler.

There are also global permissions that are applied to a global root object to grant the user or group privileges for all objects in all hierarchies. Use global permissions carefully, because you assign permissions to all objects in the inventory.

Roles are a set of permissions you can assign to users to perform specific tasks on inventory objects. There are some default roles predefined on the vCenter Server, such as Administrator, Read-only, and No access, that cannot be modified. Other roles, such as network administrator, are defined as sample roles. You can create new roles or clone and modify existing roles. It is suggested to clone an existing profile instead of creating a new one to avoid potential security issues.

You can manage the vCSA's roles from the Administration menu. Follow these steps to create or modify a new role:

1. To create a new role, select the Read-only role and click on the clone role action icon.
2. Specify a role name and optionally, add a description, then click OK.
3. Select the just-created role and click the edit icon to edit the role action.
4. Enable all the actions the new role should be able to perform, then click Next.

5. You can modify the role name and the description of the role if needed. Click Finish to save the role configuration. You can navigate the DESCRIPTION, USAGE, and PRIVILEGES tabs to have an overview of granted permissions and to which objects the created role has been assigned:

Once a role has been defined, you need to assign the role to an authenticated user or group. Where possible, it's recommended to assign permissions to groups instead of users for better and more efficient management.

To assign a role to a user or a group, proceed with the following steps:

1. From the vSphere Client, select the object you want to assign permissions to and click the Permissions tab.
2. Click the add icon to access the wizard.
3. Specify the domain to use from the User/Group drop-down menu, then search or type the user or group name you want to use. The user or group can be a member of localos, SSO domain, AD, or other identity sources.

From the Role drop-down menu, select the role you want to assign to the selected user or group. It is recommended to enable the Propagate to children option to also apply the role to child objects. Click OK to save the settings: