As a shared computing platform, vSphere has always had a strong roles and permissions model. This allows administrators who control the physical infrastructure and the virtual infrastructure to delegate levels of access to users. vCenter provides nine default roles that you can assign to users on different vSphere objects. By contrast, an ESXi host only has three default roles: Administrator, Read-Only, and No Access.
What is great about the vSphere permission model is that you can take users or groups (both AD, and from vSphere, SSO) and you can assign them a level of access at a cluster, folder, resource pool, datacenter, or at the vCenter root. The same user or group can have different access at different levels, but permissions assigned at a higher level are inherited through objects at lower levels in the hierarchy.
If you have specific needs, vCenter also exposes the ability to create your own roles using individual vSphere privileges. This allows...