VMware ESX Roles, Permissions & Privileges Explained

While it is normal to login as “administrator” when you are testing VMware ESX Virtual Center and normal to login as root while you are testing VMware ESX Server, as soon as your Virtual Infrastructure moves into production, you will want system administrators login as themselves. In fact, best practices dictate this. Besides providing accountability, having users login as themselves allows you to assign permissions to groups of users to individual users. These permissions would be assigned to objects in the virtual data center, such as entire ESX server, individual guest machines, or other levels on the virtualization management tree. In this article, we will find out how to assign custom roles that can be assigned to your users.

Vmware ESX Permissions

So what is all the “mumbo-jumbo” about? We talked about roles, permissions, and privileges. They all sound about the same, right? Let me help to try to clear up some of this confusion by explaining, each of these:

Let’s explore the Assign Permissions window because it offers uses for all of these terms in a single place. Here it is:


Let’s start with Privileges. Privileges are individual accesses to specific VMware ESX Administrative functions on ESX Servers, Virtual Machines, or other virtual infrastructure objects. For example, the ability to power on, power off, or restart a virtual guest operating system inside Virtual Center are each different privileges you could assign. These privileges get very granular and there are many of them. Here is an example of the top level categories available in Virtual Center as privileges:


VMware ESX Roles

Now, let’s move onto Roles. Roles are groupings of these privileges for easy assignment. There are a number of default roles that are preconfigured groups of various assignments for different purposes. Here are the default routes and i think you will understand how these are used:

  • No access user
  • Read only user
  • Administrator
  • Virtual machine user
  • Virtual machine power user
  • Resource pool admin
  • Datacenter admin
  • Virtual machine admin

As you can see, by using the “Virtual Machine Admin” role, you can very quickly assign the default privileges for a Virtual Machine Admin in just a single click.

Combining VMware ESX Users and Roles to get Permissions

These roles are combined with a user or a group of users, like this:


Once you have the role (made up the of the multiple privileges) combined with the list of Users and Groups, when you click “OK”, you are creating a new Permission.

Since you get no feedback when you apply a new permissions, how do you know that your permission really worked and it is applied? The answer is to go to…

How do you Edit Roles, View Roles, and Create Create Custom Roles?

Once you have added a permission, you will want to know how to edit your roles, view your roles, and create new customer roles. To do this, click on the Admin button and go to the Roles tab, like this:



The more and more you use VMware ESX, the more you will need to assign permissions to various objects (such as new virtual servers) to other administrators and power users. This will mean that you have to understand security so that you can properly secure your VMware ESX Server. Understanding Privileges, Roles, assigning user/group accounts, and combining those to create permissions is a critical skill for any VMware ESX Server administrator. I hope that this article has provides a strong overview of those VMware ESX security features and terms.