Single Sign-On provides authentication, but once authenticated vCenter Server defines the scope of access. Permissions are defined within the vCenter Server inventory hierarchy and consist of three things:
User/Group: This specifies who has access
Role: This specifies the user or group's privileges
Object: This specifies where the user or group can execute their privileges
In order to have permissions, all three of these must be defined.
There are three built-in roles: administrator, no access, and read-only. Quite a few sample roles have also been created and are available for use. Custom roles may also be created to fit an organization's needs. To create a custom role:
Log into the vSphere Web Client as an administrator.
Navigate to Administration and select Roles under Access Control.
To create a custom role, click on the Add button (+).
The Create Role dialog will appear. Go through and select the desired privileges for the role. The example is called...