Creating local SSO users and permissions within VMware VCSA 6.x

If you do not use a identity source such as LDAP or Active Directory, you can still create new user accounts on the SSO domain that you can assign different roles to within the vCenter Server.

For example, if you are not using an identity source but need a read-only server account, you can use the following steps to create an SSO user and then assign the read-only role:

  • Login to the PSC (This is the same IP as your VC if using the embedded PSC) The URL is in this format: https://PSC-HOSTNAME/psc
  • Navigate to Users and Groups
  • Select the vsphere.local domain (or the SSO domain you created on install)


  • Press Add and enter the user’s details
  • Login to the vSphere Web Client
  • Home > Hosts and Clusters
  • Select the object you want to assign the permissions to, generally this is the vCenter Server at the top node
  • Click the permission tab
  • Select the Plus Icon
  • On the left panel, press add
  • Set the domain to vsphere.local (or the SSO domain you defined at install)


  • Select your new user
  • Press Add and OK
  • Change Administrator on the right panel to the role you want to assign to the user
  • Press OK and you are done.
  • Logout of the Web Client and login as your new user

Leave a Response