Single Sign-On provides authentication, but once authenticated vCenter Server defines the scope of access. Permissions are defined within the vCenter Server inventory hierarchy and consist of three things:
In order to have permissions, all three of these must be defined.
There are three built-in roles: administrator, no access, and read-only. Quite a few sample roles have also been created and are available for use. Custom roles may also be created to fit an organization's needs. To create a custom role: