I have created a local user using the SHELL, gave it a password and then added it to the Read Only admin group using the UI. I'm a bit clueless as to why the permissions are not being applied though as I cant login using that user.
You didn't provide any details about your environment, but as far as I read I can assume that you're experimenting, thus you have one ESXI host with one vCenter server VM or appliance on it.
I have created a local user using the SHELL...
Do you mean that you created an account on the ESXI host using ssh?
This accounts are not used for authentication on the vCenter Server.
If you login to the web client of the ESXI host the credentials you created will probably work.
But what you probably meant to do was creating a user for vCenter Server web client login, and thus you want to look into vCenter Single Sign-on feature.
By default when you deploy the vCenter Server, either as appliance or as application, you are prompted to insert a password for the account [email protected]. vSphere.local is the vCenter Single Sign-on default domain, the administrator part is the default admin user for this domain. This is the user you need for first log in to the vCenter server web client in order to administer ANY host you added or will add to your VMware virtualization environment.
The ESXI host(s) will keep their own accounts separate, and changing root or any other user's account on the ESXI host won't affect its connectivity with the vCenter server.
Just to point you in the right direction, you have to login with [email protected] to the vCenter Server web client login and create your users at:
Home > Administration > Single Sign-On > Users and Groups
on the Users tab, click the new user icon. Reference
Or consider looking into Single Sign-on identity sources. You may add an AD domain and automatically authorize the "sysadmins" AD group to do anything, and give RO role to "juniorsysadmins", for instance.
As it looks like you're still in a pre production stage, please consider to take a deeper look at the following resources:
You didn't provide any details about your environment, but as far as I read I can assume that you're experimenting, thus you have one ESXI host with one vCenter server VM or appliance on it.
Do you mean that you created an account on the ESXI host using ssh?
This accounts are not used for authentication on the vCenter Server.
If you login to the web client of the ESXI host the credentials you created will probably work.
But what you probably meant to do was creating a user for vCenter Server web client login, and thus you want to look into vCenter Single Sign-on feature.
By default when you deploy the vCenter Server, either as appliance or as application, you are prompted to insert a password for the account [email protected].
vSphere.local
is the vCenter Single Sign-on default domain, theadministrator
part is the default admin user for this domain. This is the user you need for first log in to the vCenter server web client in order to administer ANY host you added or will add to your VMware virtualization environment.The ESXI host(s) will keep their own accounts separate, and changing root or any other user's account on the ESXI host won't affect its connectivity with the vCenter server.
Just to point you in the right direction, you have to login with [email protected] to the vCenter Server web client login and create your users at:
on the
Users tab
, click thenew user icon
. ReferenceOr consider looking into Single Sign-on identity sources. You may add an AD domain and automatically authorize the "sysadmins" AD group to do anything, and give RO role to "juniorsysadmins", for instance.
As it looks like you're still in a pre production stage, please consider to take a deeper look at the following resources:
vSphere Security
vSphere 6.5 Security Configuration Guide
They might turn to be very useful if you're in the public network or if your env requires more than a minimum layer of security.