Groups - VMware 4817V62 - vSphere - PC Administration Manual

vSphere Basic System Administration
You manage users defined on the vCenter Server system and users defined on individual hosts separately.
Even if the user lists of a host and a vCenter Server system appear to have common users (for instance, a user
called devuser), these users should be treated as separate users who have the same name. The attributes of
devuser in vCenter Server, including permissions, passwords, and so forth, are separate from the attributes of
devuser on the ESX/ESXi host. If you log in to vCenter Server as devuser, you might have permission to view
and delete files from a datastore. If you log in to an ESX/ESXi host as devuser, you might not have these
permissions.
vCenter Server Users
Authorized users for vCenter Server are those included in the Windows domain list referenced by vCenter
Server or local Windows users on the vCenter Server system. The permissions defined for these users apply
whenever a user connects to vCenter Server.
You cannot use vCenter Server to manually create, remove, or otherwise change vCenter Server users. To
manipulate the user list or change user passwords, use the tools you use to manage your Windows domain or
Active Directory. For more information on creating users and groups for use with vCenter Server, see your
Microsoft documentation.
Any changes you make to the Windows domain are reflected in vCenter Server. Because you cannot directly
manage users in vCenter Server, the user interface does not provide a user list for you to review. You see these
changes only when you select users to configure permissions.
vCenter Servers connected in a Linked Mode group use Active Directory to maintain the list of users, allowing
all vCenter Server systems in the group to share a common set of users.
Host Users
Users authorized to work directly on an ESX/ESXi host are added to the internal user list by default when
ESX/ESXi is installed or by a system administrator after installation.
If you log in to an ESX/ESXi host as root using the vSphere Client, you can use the Users and Groups tab to
perform a variety of management activities for these users. You can add users, remove users, change
passwords, set group membership, and configure permissions.
C See the Authentication and User Management chapter of the ESX Configuration Guide or ESXi
AUTION
Configuration Guide for information about root users and your ESX/ESXi host before you make any changes to
the default users. Mistakes regarding root users can have serious access consequences.
Each ESX/ESXi host has two default users:
The root user has full administrative privileges. Administrators use this log in and its associated password
n
to log in to a host through the vSphere Client. Root users have a complete range of control activities on
the specific host that they are logged on to, including manipulating permissions, creating groups and users
(on ESX/ESXi hosts only), working with events, and so on.
The vpxuser user is a vCenter Server entity with root rights on the ESX/ESXi host, allowing it to manage
n
activities for that host. The vpxuser is created at the time that an ESX/ESXi host is attached to vCenter
Server. It is not present on the ESX host unless the host is being managed through vCenter Server.

Groups

You can efficiently manage some user attributes by creating groups. A group is a set of users that you manage
through a common set of permissions.
A user can be a member of more than one group. When you assign permissions to a group, all users in the
group inherit those permissions. Using groups can significantly reduce the time it takes to set up your
permissions model.
210 VMware, Inc.