By default, the SSO-Domain\Administrators (vsphere.local\Administrators) group is assigned an Administrator role on the vCenter and is defined as a Global Permission. This means that if there were to be more than one vCenter in an Enhanced Linked Mode configuration, then the vsphere\Administrators group will have Administrator role permissions on all the connected vCenters.
The only member of the vsphere.local\Administators group is the SSO administrator ([email protected]). Users from other identity sources can be added as members of this group if you so desire.
However, in most environments, although multiple vCenters will be managed under a single ELM umbrella, you will sometimes need to provide vCenter-specific permissions. For instance, if you manage multiple vCenters belonging to different customers, then assigning global permissions is not considered ideal. In such cases, you will need to provide user access to specific vCenters only.
In this recipe, we will learn how to assign vCenter permissions to an Active Directory user/group.