Permissions specify the privileges (the tasks a user can perform) an authenticated user or group has on a specific vCenter Server object and can be assigned at different levels of a hierarchy. For example, you can assign permissions to a cluster object or a data center object. The best practice is to assign only the required permissions, to increase the security and to have a more explicit permissions structure. The use of folders to group objects based on specific permissions makes the vSphere administration simpler.

There are also global permissions that are applied to a global root object to grant the user or group privileges for all objects in all hierarchies. Use global permissions carefully, because you assign permissions to all objects in the inventory.

Roles are a set of permissions you can assign to users to perform specific tasks on inventory objects. There are some default roles predefined on vCenter Server, such as Administrator, Read-only, and No access, which cannot be modified. Other roles, such as network administrator, are defined as sample roles. You can create new roles or clone and modify existing roles. It is advisable to clone an existing profile instead of creating a new one to avoid potential security issues.

From vSphere 6.5, there is a new role called no cryptography administrator. This role contains the same set of permissions as the administrator role, but the user assigned with this role is not able to perform any encryption or decryption tasks. The idea is that sometimes you need to ensure that the VMs stay encrypted at all costs, but at the same time your vSphere administrators must be able to perform any configurations necessary. For this reason, no cryptography administrator role was introduced.

You can manage the vCSA roles from the Administration menu. Follow these steps to create or modify a new role:

1. To create a new role, select the role you want to start from and click on the clone role action icon.
2. Specify a role name, add a description (optional), then click OK.
3. Select the just-created role and click the edit icon to edit the role action.
4. Enable all the actions the new role should be able to perform, then click Next.
5. You can modify the role name and the description of the role if necessary. Click Finish to save the role configuration. You can navigate the DESCRIPTION, USAGE, and PRIVILEGES tabs to get an overview of the granted permissions and to which objects the created role has been assigned, as shown in the following screenshot:

Once a role has been defined, you need to assign the role to an authenticated user or group. Where possible, it's recommended to assign permissions to groups instead of users for better and more efficient management.

To assign a role to a user or a group, proceed with the following steps:

1. From the vSphere Client, select the object you want to assign permissions to and click on the Permissions tab.
2. Click the add icon button to access the wizard.
3. Specify the domain to use from the User/Group drop-down menu, then search for or type the user or group name you want to use. The user or group can be a member of localos, SSO domain, AD, or other identity sources.
4. From the Role drop-down menu, select the role you want to assign to the selected user or group. It is recommended to enable the Propagate to children option to also apply the role to child objects. This will not only propagate the permission to the current child, but to the newly created children as well.
5. Click OK to save the settings.

6. Defined In refers to which objects in the hierarchy the permission is configured on. Let's assume that we have created a permission somewhere within the hierarchy. If you click on any object that is a child of that object, you will see the level on which the permission was configured.