The vCenter Server recognizes permissions, not privileges. Each vCenter Server permission consists of three components.
These components are the following:
The privileges define the tasks that a user can perform.
The object is the target for the tasks.
The user or group defines who can perform the task.
As the following diagram illustrates, you must have all three elements in order to have a permission.
From the perspective of working with Virtual Storage Console for VMware vSphere, there are two kinds of privileges:
These privileges come with the vCenter Server.
These privileges were defined for specific VSC tasks. They are unique to VSC.
VSC tasks require both VSC-specific privileges and vCenter Server native privileges. These privileges make up the "role" for the user. A permission can have multiple privileges.
If you change the privileges within a permission, the user associated with that permission should log out and then log back in to enable the updated permission.
Permissions are associated with vSphere objects, such as the vCenter Server, ESXi hosts, virtual machines, datastores, datacenters, and folders. You can assign permissions to any vSphere object. Based on the permission assigned to a vSphere object, the vCenter Server determines who can perform which tasks on that object.
You can use Active Directory (or the local vCenter Server machine) to set up users and groups of users. You can then use vCenter Server permissions to grant access to these users or groups to enable them to perform specific VSC tasks.
Users and groups do not have roles assigned to them. They gain access to a role by being part of a vCenter Server permission.
You can assign only one permission to a vCenter user or group. You can, however, set up high-level groups and assign a single user to multiple groups. Doing that allows the user to have all the permissions provided by the different groups. In addition, using groups simplifies the management of permissions by eliminating the need to set up the same permission multiple times for individual users.