VMware vSphere Privileges
- Register VM
- Change virtual machine resource allocations
- Inject a sequence of USB HID scan codes into the keyboard
- Virtual machine power user (sample)
- Virtual machine service configuration
- Export diagnostic data
- Move
- Assign virtual machine to resource pool
- Datastore
- Grants access to unencrypted or cleartext data of encrypted VMs
- Visibility without read access to an entity. This is assigned implicitly by the system, if read privileges are assigned at lower levels in the inventory
- Advanced
- Modifying the alias store in a virtual machine guest operating system
- Profile-driven storage update
- Reconfigure a datacenter
- Modifications in a virtual machine guest operating system
- Encrypt
- Move a virtual machine
- Inventory
- Mark as virtual machine
- Clone a template
- Not logged-in user (cannot be granted)
- Rename resource pool
- Enable/disable hyperthreading
- Terminate the Secondary VM
- Log event
- Policy editor SuperUser
- Impersonate user
- Encrypt newly created VM or disk
- Configure a different media for virtual CD-ROMs
- Rename
- Swapfile placement
- Unregister
- Unlock an encrypted virtual machine
- Clear host profile related information
- View
- Decrypt encrypted VM or disk
- Modify a role's name or privileges
- Assign vApp to resource pool
- Migrate
- Certificates
- Change date and time settings
- Connect or disconnect a host
- Rename a datastore
- Test failover
- Service managers
- Discover and convert physical host to virtual machine
- Record session on virtual machine
- Remove cluster
- Update
- Change the configuration of a distributed switch
- Query vMotion
- Release IP allocation on a network protocol profile in a datacenter
- Make advanced configuration changes
- Delete
- Modify service configuration
- Memory configuration
- Add host to cluster
- Proxy
- Create a host profile
- Enable or disable change tracking for the virtual machine's disks
- vApp instance configuration
- Maintenance
- Mark as template
- Unregister
- Encrypt existing VM or disk
- Settings
- Locker
- Set the scope of a dvPort group
- Remove a scheduled task
- Verify session validity
- Image configuration
- Virtual machine raw device configuration
- Add an encrypted disk to a VM
- Mark a virtual machine as a template
- Register extensions
- Import vApp
- Port setting operation
- Power off
- Rename snapshot
- Reset (power cycle) a virtual machine
- Cryptographic operations
- Querying the alias store in a virtual machine guest operating system
- Acknowledge alarm
- Add or remove a raw disk mapping or SCSI passthrough device
- Access the directory service
- Clone a vApp
- Provisioning
- Remote file management and CIM read/write access
- Rename a virtual machine
- Add a virtual machine to the vApp
- Create
- Export
- Remove a virtual machine
- Log a user-defined event on an object
- Policy
- Edit vApp instance configuration, such as policies and property values
- Cancel a scheduled task if its running
- Used by the Consolidated Backup utility
- Backup operations on a virtual machine
- Sessions
- Resource pool administrator (sample)
- Profile-driven storage view
- Virtual machine interaction
- Datastore
- Global
- Register extension
- Guest operation queries
- Alarms
- Manage custom attributes
- External stats provider
- Allow virtual machine download
- Operations are enabled in vCenter
- Modify a privilege's group or description
- Clone virtual machine
- Export a host profile
- Virtual machine snapshot management
- Remove
- Delete a dvPort group
- Create a screenshot
- Manage encryption policies
- Inject USB HID scan codes
- Set annotation
- Power off a virtual machine
- vApp application configuration
- Manage replication
- Administrator
- Move cluster or standalone host
- Remove a datacenter
- User account management
- Power off a vApp
- Create from existing
- Service configuration
- Move a datacenter
- Configure a different media for virtual floppies
- Move a vApp
- Certificates
- Update ESX agent host configuration
- Provides virtual machine interaction permissions
- Profile-driven storage
- Folder
- Modify system resource settings
- Troubleshooting
- Storage, host datastore, and diagnostic partition configuration
- Allow use of property collector to receive push notification for pending service notifications
- Host inventory
- Authentication Store
- Manage
- System
- Profile-driven storage update
- Disable actions for an alarm
- Move a host between clusters
- Inventory
- Perform wipe or shrink operations
- Permissions
- Install VMware Tools (or mount/unmount the tools installer image)
- Manage registered libraries
- Scope operation
- Modify the message (seen by all users when logging in)
- Change quarantine mode of a host
- Run task
- Configure a virtual machine for replication
- Update virtual machine metadata on a datastore
- Configure authentication stores
- Edit vApp resource configuration
- Privileges related to vApps
- Change virtual machine settings
- Edit vApp application configuration, such as product info
- Service console memory reservation
- Datacenter administrator (sample)
- Set status for an alarm
- Operations in a virtual machine guest operating system
- Permissions to all inventory objects, but not to global settings
- Edit a scheduled task
- Registed encrypted VM
- Deploy template
- No cryptography administrator
- Add host to vCenter
- Host profile
- Rename cluster
- Update virtual rights management policy
- Pause or unpause a virtual machine
- No access
- Power on a vApp
- Reassign the permissions of one role to another
- Profile-driven storage
- Unregister
- Interaction
- Reconfigure a virtual machine
- Direct Access
- Read existing virtual machine service configuration
- Hyperthreading
- Replay session on virtual machine
- Drag and drop
- Toggle virtual machine display connection settings
- Memory
- Modify cluster
- Policy operation
- Migrate an encrypted VM
- Query service configurations
- vSphere Replication configuration
- Power on
- Add existing disk
- Suspend a vApp
- View the OVF environment for a virtual machine
- Create snapshot
- Create a resource pool
- Manage replication
- Clone template
- vSphere Replication
- Compute resource
- Change date and time settings for the host
- Read
- System Management
- Reset guest information
- Create alarm
- Deploy a virtual machine from a template
- Unregister an external stats provider
- Assigned to networks to allow association of virtual machines or hosts with networks
- Edit vApp managedBy configuration
- Report VM stats
- Disable methods
- Apply policies to an entity
- Add, remove, and rename custom attribute definitions
- Reconfigure datacenter
- Remove
- vSphere Replication
- AMQP
- Add virtual machine
- Register host in a cluster with encrypted VMs
- Remove snapshot
- Unregister
- Move a datastore
- Host profile
- Virtual machine user (sample)
- Modify role
- Configure a network protocol profile on a datacenter
- Clone a virtual machine
- Manage user groups
- System resources
- Cryptographic operations
- Modify
- Virtual Rights Management Policy
- Unregister extensions
- Manage replication properties of a virtual machine
- Recrypt
- Clone an encrypted VM
- Add standalone host
- Set alarm status
- Apply
- Set annotation on a virtual machine
- Remove alarm
- Remove file
- Disk lease
- Host configuration
- Impersonate users
- System
- Allow random access to disk files through a separate NFC connection
- Datacenter
- Guest operation alias query
- Create and attach a new virtual disk
- Allow polling of global event notifications
- Create a snapshot
- Allow disk access
- Turn off Fault Tolerance
- Datastore cluster
- Move a network
- View
- Monitor replication of a virtual machine
- Configure a network
- Modify virtual device settings
- Add/Update/Remove/List cryptographic keys
- vSphere Replication operations
- Modify a permission's role or propagation
- Replay session on a virtual machine
- Customize a virtual machine's guest operating system
- Register
- Full access without Cryptographic operations privileges
- Allocate space on a datastore
- Security profile and firewall
- Remove a file from a datastore
- Upgrade virtual machine compatibility
- Create a distributed switch
- Display connection settings
- Create cluster
- Host USB device
- Update extensions
- Reconfigure virtual machine
- Device connection
- Import
- Virtual machine configuration
- VRMPolicy
- Change the configuration of a port in a distributed switch
- vApp resource configuration
- Modify intervals
- Apply recommendation
- Datastore consumer (sample)
- Health
- Modify existing virtual machine service configuration
- Turn off Fault Tolerance for this virtual machine
- Add disk
- Modify a cluster's specification
- Reset guest information variables
- Register host
- Firmware system operations
- Resume Fault Tolerance
- Clone
- Create resource pool
- Modify customization specification
- Read customization specifications
- Move a cluster or standalone host
- Allow virtual machine files upload
- Assigned to datastores to allow creating disks or snapshots
- Change PciPassthru settings for the host
- Allow upload of virtual machine (used by provisioning operations)
- Console interaction
- Connect/disconnect media and network devices
- View
- Migrate powered on virtual machine
- Power on or resume a virtual machine
- Rename folder
- Monitor who is logged in and stop sessions
- Move datastore
- Extensions
- Virtual machine inventory
- CIM
- Virtual machine administrator (sample)
- Modify an alarm
- Register
- Delete folder
- All
- Modify privilege
- Create a dvPort group
- Release IP allocation
- Network administrator (sample)
- Modify the configuration of a dvPort group
- Read customization specifications
- Change the policy of a distributed switch
- CIM interaction
- Consolidate disks
- Virtual Machine console user
- Encrypt new
- Disk change tracking
- Move
- Create template from virtual machine
- Suspend Fault Tolerance
- Assign resource pool
- Unregister a health update provider
- Query host patches
- Rename a snapshot
- Create a template from a virtual machine
- Decrypt
- View
- Establish a remote connection to the AMQP interface. By default, this privilege belongs only to the administrator. This privilege provides complete access to the AMQP service
- Health update provider
- Change the setting of a port in a distributed switch
- Promote a virtual machine's disks
- Reload from path
- Promote disks
- Scheduled task
- Network configuration
- Query vMotion compatibility of a set of hosts
- Manage policies
- dvPort group
- Modify task
- View
- Move host
- Update VRMPolicy
- Global
- Add, remove or edit a virtual USB device backed by a host USB device
- Upgrade virtual machine compatibility
- Move network
- Modify advanced settings for the host
- Host AMQP message bus service
- The only privilege held by sessions which have not logged in
- Change the number of virtual CPUs
- Delete
- Configure datastore
- Virtual machine
- Modify SNMP settings
- Suspend Fault Tolerance for this virtual machine
- Acknowledge an alarm
- Update virtual machine metadata
- Network
- Image library
- Supports delegated resource management
- Diagnostics
- Access the health of vCenter group
- Modify agencies and agents
- Local operations
- Reset
- Rename a datacenter
- Cancel a running task
- Detach and optionally remove a virtual disk
- Manage certificates
- Licenses
- System tag
- Remove host
- Move a distributed switch into another folder
- Troubleshooting
- Change host settings
- Bring the host under vCenter management
- Guest operations
- Remove disk
- Configure a datastore cluster
- Add, remove and update entities managed by this provider
- Configure service
- Manage encryption storage policies
- Running processes in a virtual machine guest operating system
- Query unowned files
- All troubleshooting
- Distributed switch
- Update virtual machine files on a datastore
- Resource
- Configure host locker
- Remove task
- Full access rights
- Run a scheduled task immediately
- Create a cluster along with its initial specification
- Script action
- Create tasks
- Query virtual rights management policy
- Defragment all disks
- Virtual machine autostart configuration
- Manage licenses
- Create a virtual machine without registering it
- Add a host to a cluster
- Configure managedBy
- Global tag
- Remove datacenter
- Add/Update/Remove/List KMS information
- Remove an alarm
- Revert to snapshot
- Modify a resource pool
- Resource allocation
- Register an external stats provider
- Defragment all disks on the virtual machine
- Remove a datastore from the datacenter
- Read-only
- ESX Agent Manager
- Settings
- Create folder
- Policy operation
- Guest operation alias modification
- Change SNMP settings
- Unlock virtual machine
- Guest operation program execution
- Network I/O control operation
- Add an existing virtual machine to the inventory
- Set the value of a custom attribute on an object
- Clone
- View OVF environment
- Allow access to files through a separate NFC connection
- Update task
- Create folder
- Configure floppy media
- Monitor replication
- Lease disks for disk manager
- Configure a datastore cluster
- Suspend
- Create a task
- Change settings
- Unregister extension
- Set the placement policy for a single virtual machine's swapfile
- Migrate a powered on virtual machine
- Rename cluster
- Configure a datastore
- Remove resource pool
- Datastore cluster
- Move folder
- Manage keys
- Resume Fault Tolerance for this virtual machine
- Allow file access
- Virtual machine
- Allow download of virtual machines (used by provisioning operations)
- Configure internet services and firewall
- Extend virtual disk
- Manage certificates
- Create
- Perform wipe or shrink operations on Flex-SE disks
- Rename
- Create new
- Performance
- Delete virtual machine
- Check if a virtual machine is compatible for Fault Tolerance
- Storage views
- Firmware
- Remove a host
- Add a standalone host
- External stats provider
- Scheduled task
- Rename a resource pool
- Allocate space
- Allow read-only random access to disk files through a separate NFC connection
- Interact with the virtual machine console
- Delete an unregistered virtual machine
- Modify
- Cancel task
- Power on
- View a host profile
- Low level file operations
- Change the host member of a distributed switch
- Extend virtual disk
- Image library
- Power system operations
- Turn on Fault Tolerance
- Update
- Queries in a virtual machine guest operating system
- Add new disk
- Create a new virtual machine or template
- Distributed switch
- Create
- Configure
- Move resource pool
- Make a snapshot current
- Policy
- Host
- Change resource
- Grants read access to an entity
- Extension
- Set custom attribute
- Virtual machine provisioning
- Browse datastore
- Provides virtual machine console interaction permissions. This role is required for VMRC sessions. Exercise caution when altering/removing this role from vCenter Server.
- Backup operation on virtual machine
- Suspend a virtual machine
- Enable methods
- Make the Secondary VM the Primary VM
- Assign a vApp to another vApp
- Raw device
- Rename datastore
- Remove a resource pool
- Power
- Create a scheduled task
- View agencies and agents
- Export
- Health update provider
- Capacity planning
- Assign network to virtual machine, host service console, VMkernel virtual NIC or physical NIC
- Tasks
- Config
- Apply a DRS vMotion recommendation
- Update extension
- Message
- Remove a cluster or standalone host
- Migrate a powered off virtual machine
- Test restart Secondary VM
- See details of objects, but not make changes
- Browse a datastore
- Host
- Rename a vApp
- Profile-driven storage view
- Assign network
- Tasks
- Power off
- VMware Consolidated Backup user (sample)
- VMware Tools install
- Folder
- sIgNaTuRe
- Move a resource pool
- Add or update network I/O control resource pools
- Edit a host profile
- Change PciPassthru settings
- Modify alarm
- All rights except permissions (same as VirtualCenter 1.x)
- Guest operating system management by VIX API
- Advanced settings
- Allow generating and consuming service notifications
- Modify
- Networks
- Operations are disabled in vCenter
- Perform management operations within the guest operating system via the VIX API
- Move
- Remove datastore
- Enable and disable maintenance mode
- Migrate powered off virtual machine
- Query VRMPolicy
- Modify device settings
- Pause or Unpause
- Create virtual machine
- Read service configuration
- ESX Agent Manager
- Edit
- Virtual machine autostart configuration
- Update a task
- Re-encrypt an encrypted VM or disk with another key
- Datacenter
- Manage service configurations
- Assign a vApp to a resource pool
- Used for restricting granted access
- Port configuration operation
- Modify resource pool
- Clear
- Register a health update provider
- Establish a remote connection to a CIM interface. By default, this privilege is belongs only to the administrator. This privilege provides SuperUser level access to the CIM service
- Storage views
- Anonymous
- Create an alarm
- Edit or delete any policy even if not a policy editor
- Perform low level file operations on a datastore
- Delete a distributed switch
- Query Fault Tolerance compatibility
- dvPort groups
- Provides virtual machine interaction and configuration permissions
- Performance
- Manage replication of virtual machines
- Unregister a vApp
- Move datacenter
- Set the amount of virtual machine memory
- Drag files between a virtual machine and a remote client
- Add or remove global tag
- Configure managedBy on a virtual machine
- Change image configuration settings
- Cancel task
- Alarms
- Sessions
- Add or remove virtual devices
- Compute resource
- Record session on a virtual machine
- Edit global settings
- Schedule an external script action
- Act as vCenter Server
- View and stop sessions
- Snapshot management
- Rename folder
- Act as the vCenter Server
- Toggle fork parent
- Answer a virtual machine run-time question
- Add or remove device
- Create datacenter
- Create task
- View
- Network protocol profile configuration
- Query IP pool allocation on a network protocol profile in a datacenter
- Create, edit or delete customization specifications
- Query virtual machine service configurations
- Change CPU count
- AMQP interaction
- Move folder
- Assign vApp
- Manage KMS
- Create a virtual machine based on an existing virtual machine or template
- Export vApp
- Remove a network
- Host local operations
- Configure replication
- Add/remove raw device
- Remove a snapshot
- Delete
- Unregister a virtual machine
- Storage partition configuration
- Allows changing server configuration such as the reports update interval and database connectivity information
- Delete a host profile
- Reload Virtual Machine from new configuration path
- Guest operation modifications
- Query IP pool allocation
- Query patch
- Create a datacenter
- Set the policy of a dvPort group
- Mark a template as a virtual machine
- Configuration
- Consolidate disks which have unnecessary delta disk backings
- Suspend
- Create, modify, or delete policies
- Answer question
- Configure CD media
- Connection
- Add or remove endpoints to or from the proxy
- Manage virtual machine service configurations
- Rename datacenter
- Turn on Fault Tolerance for this virtual machine
- Permissions
- Network configuration
- Configuration
- Browse for and attach an existing virtual disk
- Delete
- Allow read-only disk access
- Customize
- Visibility access (cannot be granted)
- Change the distributed port mirroring configuration of a distributed switch
- Allow notifications
- Create
- VSPAN operation
- Modify permission
- Update virtual machine files
- Delete folder
- Enable or disable a vmfork parent
- Register
- Host operation
- Reassign role permissions
- Assign a virtual machine to a resource pool
- Create screenshot
- Create a new vApp
- Disable alarm action
- Assign resource pool to vApp
- Quarantine
- vApp managedBy configuration
- Query unowned files
- Validate session
- Modify historical intervals
- Delete a vApp
- Anonymous
- Add or remove system tag