Managing vSphere Local Users across vCenter and ESXi Hosts

Greetings VMware Experts,

I have created a vsphere local user and assigned him a custom role using vCenter Web Client.

I noticed that I could not access vCenter via vSphere Client using these credentials.
Following I logged-in to vCenter via vSphere Client  as Admin and I created a Permission for that User.

Q1) Is this normal? Since I created that user after logging to vCenter via Web Client?

Q2) Should I also create a permission for every ESXi Host?

Q3) If I do not create permissions to Host, I assume that the user will still have access to
vCenter but in case that vCenter is down for a reason that user will be also locked-out correct??
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Do you have Active Directory and a Domain ?

Usually you would created an Active Directory Global Group, we will call it vCenter Administrators, you would then add Active Directrory users to this group.

You would then Assign this Group the Administrator Role, and Add this Permissions to the ROOT of vCenter Datacenter.

No requirement to add individual users to each ESXi host.
mamelasAuthor Commented:
Dear Andrew,

Your above mentioned procedure is for Domain Users.

In case that I want to create a local user* that has access only to the vsphere infrastructure are Q1, Q2 and Q3 correct??

(*one reason would be for example to prevent that user from accessing the Shares that the Domain Users have access)
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
If you do not have a Domain, same thing but create a Local User group, and repeat the same.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

mamelasAuthor Commented:
Well I am actually confused....

For a vsphere LOCAL user should I:

1) create a user and assign to group and role on vCenter via Web Client
2) add permission and role to that user on vCenter via vSphere Client
3) add permission and role to that user on every ESXi host via vSphere Client

are all the above steps correct and required for a "user@vshpere.local" to access the vcenter vsphere, web client and hosts??
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Okay, let's forget vCenter and vSphere for the moment.

Create Users on the Local Server.

Create a Group on the Local Server.

Did you add the Local Server as an Identity to SSO ?
mamelasAuthor Commented:

I am not sure if the Hosts have Identity SSO but under vCenter in order to create a local user I select the Roles and I create the user under SSO...
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Well you could do it, that way.
mamelasAuthor Commented:
well could you please post the typical / recommended
steps required for creating a Local user and giving access to vcenter and hosts??

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Have you created your Server users, on the local server ?

this is the document

Add a vCenter Single Sign-On Identity Source - Page 27, adding LocalOS
Use this option to add the local operating system as an identity source

Then users, that you have created on the local computer, can then access....

you will then define roles for those users, and add those users associated with the roles, to permissions on the Objects in vCenter Server.

Page 57, discussed Roles and Users, Permissions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mamelasAuthor Commented:
This is one I was looking for! thank you for your patience.

Please clarify me the following:

If I create an SSO on vCenter via Web Client, with the name "testuser@vsphere.local" and give read-only access, that user will have access to the Virtual Infrastructure.

I noticed that I couldn't log in to vCenter via VSphere client using the "testuser@vsphere.local". I had to log in as Admin and on Permissions tab create a permission for that user...Is this correct procedure??

At this point if I don't give permissions to hosts I assume that the "testuser@vsphere.local" will still be  able to log in to vCenter Only provided that the vCenter runs smoothly and is on. Right??
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Okay, usually you would use Active Directory or Local Computer users.

vSphere.local is another identify source, such as Administrator@vsphere.local which is super user.

By Default this user has access, Administrator@vsphere.local, and it will then add the correct permissions to objects.

You grant permissions at the vCenter Object.
mamelasAuthor Commented:
Thanks Andrew!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.