Stay organized with collections
Save and categorize content based on your preferences.
Managing vSphere permissions
Some tasks in vSphere require users to have certain permissions in order to
complete successfully. When you create a private cloud, VMware Engine
performs an initial setup of vSphere permissions
for your ease of management. This document provides you with guidance on further
managing permissions in vSphere.
Before you begin
To manage vSphere permissions for your private cloud, you must first
elevate your privileges. Elevating your privileges
through VMware Engine gives you the ability to perform administrative functions
in vSphere.
Managing vCenter user groups
Users in the Cloud-Owner-Group group can administer various parts of the
vSphere environment in the private cloud. The Cloud-Owner-Group group is
automatically given Cloud-Owner-Role privileges, and the CloudOwner user
is added as a member of this group.
Google creates additional groups with limited privileges for ease of management.
You can add any user to these pre-created groups, and this process assigns the
corresponding privileges to the user.
Granting management permission to individual users
To grant an individual user permissions to manage the private cloud, create a
user account and add it to the appropriate groups:
Cloud-Owner-Group
Cloud-Global-Cluster-Admin-Group
Cloud-Global-Storage-Admin-Group
Cloud-Global-Network-Admin-Group
Cloud-Global-VM-Admin-Group
Creating new user groups
You can create additional user groups to enable access control for vCenter
users. However, new user groups must have permissions that are lower than
Cloud-Owner-Role. Groups with permissions higher than Cloud-Owner-Role
are automatically reset to Cloud-Owner-Role.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Managing vSphere permissions\n============================\n\nSome tasks in vSphere require users to have certain permissions in order to\ncomplete successfully. When you create a private cloud, VMware Engine\nperforms an [initial setup of vSphere permissions](/vmware-engine/docs/concepts-permission-model)\nfor your ease of management. This document provides you with guidance on further\nmanaging permissions in vSphere.\n\nBefore you begin\n----------------\n\nTo manage vSphere permissions for your private cloud, you must first\n[elevate your privileges](/vmware-engine/docs/private-clouds/howto-elevate-privilege). Elevating your privileges\nthrough VMware Engine gives you the ability to perform administrative functions\nin vSphere.\n\nManaging vCenter user groups\n----------------------------\n\nUsers in the `Cloud-Owner-Group` group can administer various parts of the\nvSphere environment in the private cloud. The `Cloud-Owner-Group` group is\nautomatically given `Cloud-Owner-Role` privileges, and the `CloudOwner` user\nis added as a member of this group.\n\nGoogle creates additional groups with limited privileges for ease of management.\nYou can add any user to these pre-created groups, and this process assigns the\ncorresponding privileges to the user.\n\nFor a full list of pre-created vCenter user groups and their associated vCenter\nprivileges, see\n[Private cloud VMware vCenter permission model](/vmware-engine/docs/concepts-permission-model).\n\n### Granting management permission to individual users\n\nTo grant an individual user permissions to manage the private cloud, create a\nuser account and add it to the appropriate groups:\n\n- `Cloud-Owner-Group`\n- `Cloud-Global-Cluster-Admin-Group`\n- `Cloud-Global-Storage-Admin-Group`\n- `Cloud-Global-Network-Admin-Group`\n- `Cloud-Global-VM-Admin-Group`\n\n| **Warning:** Users added to the **Administrators** group are removed automatically. The **Administrators** group must contain only service accounts.\n\n### Creating new user groups\n\nYou can create additional user groups to enable access control for vCenter\nusers. However, new user groups must have permissions that are lower than\n`Cloud-Owner-Role`. Groups with permissions higher than `Cloud-Owner-Role`\nare automatically reset to `Cloud-Owner-Role`.\n\nWhat's next\n-----------\n\n- Learn how to [set up vCenter identity sources](/vmware-engine/docs/vmware-platform/howto-identity-sources).\n- Learn about the [private cloud vSphere permission model](/vmware-engine/docs/concepts-permission-model)."]]
