Question 1
Which two roles can be modified? (Choose two.) A. Administrator
B. Network Administrator
C. Datastore Consumer
D. Read-Only
Answer B, C
Three of the pre-established roles are permanent, meaning that the privileges associated with that role cannot be modified. These permanent roles are available to a stand-alone ESX or ESXi server, or to vCenter Server. The remaining eight are sample roles which can be modified as needed. These eight roles are exclusive to vCenter Server.
Below are the pre-established roles:
- No Access: A permanent role that is assigned to new users and groups. Prevents a user or group from viewing or making changes to an object
- Read-Only: A permanent role that allows users to check the state of an object or view its details, but not make changes to it
- Administrator: A permanent role that enables a user complete access to all of the objects on the server. The root user is assigned this role by default, as are all of the users who are part of the local Windows Administrators group associated with vCenter Server. At least one user must have administrative permissions in VMware.
- Virtual Machine Administrator: A sample role that allows a user complete and total control of a virtual machine or a host, up to and including removing that VM or host
- Virtual Machine Power User: A sample role that grants a user access rights only to virtual machines; can alter the virtual hardware or create snapshots of the VM

VMware 2V0-621
- Virtual Machine User: Grants user access rights exclusively to VMs. The user can power on, power off, and reset the virtual machine, as well as run media from the virtual discs.
- Resource Pool Administrator: Allows the user to create resource pools (RAM and CPU reserved for use) and assign these pools to virtual machines
- Datacenter Administrator: Permits a user to add new datacenter objects
- VMware Consolidated Backup User: Required to allow VMware Consolidated Backup to run - Datastore Consumer: Allows the user to consume space on a datastore
- Network Consumer: Allows the user to assign a network to a virtual machine or a host Reference:
Question 2
An administrator with global administrator privileges creates a custom role but fails to assign any privileges to it.
Which two privileges would the custom role have? (Choose two.) A. System.View
B. System.Anonymous
C. System.User
D. System.ReadOnly
Answer A, B
When you add a custom role and do not assign any privileges to it, the role is created as a Read Only role with three system-defined privileges: System.Anonymous, System.View, and System.Read.
Reference: 2FGUID-5ACE7CFA-75EC-4EF3-95E7-19962D76225E.html
Question 3
An object has inherited permissions from two parent objects.
What is true about the permissions on the object?
A. The common permissions between the two are applied and the rest are discarded. B. The permissions are combined from both parent objects.
C. No permissions are applied from the parent objects.
VMware 2V0-621
D. The permission is randomly selected from either of the two parent objects.
Answer B
If an object inherits permissions from two parent objects, the permissions on one object are added to the permissions on the other object. For example, if a virtual machine is in a virtual machine folder and also belongs to a resource pool, that virtual machine inherits all permission settings from both the virtual machine folder and the resource pool.
Reference: 72EE3449-79FD-4E7A-B164-26904958540F.html
Question 4
Which three Authorization types are valid in vSphere? (Choose three.) A. Group Membership in vsphere.local
B. Global
C. Forest
D. vCenter Server
E. Group Membership in system-domain
Answer A, B, D
The primary way of authorizing a user or group in vSphere is the vCenter Server permissions. Depending on the task you want to perform, you might require other authorization.
vSphere 6.0 and later allows privileged users to give other users permissions to perform tasks in the following ways. These approaches are, for the most part, mutually exclusive; however, you can assign use global permissions to authorize certain users for all solution, and local vCenter Server permissions to authorize other users for individual vCenter Server systems.
- Reference: 74F53189-EF41-4AC1-A78E-D25621855800.html
Global Permissions
Groups in the vsphere.local Domain
Question 5
An administrator has configured three vCenter Servers and vRealize Orchestrator within a Platform Services Controller domain, and needs to grant a user privileges that span all environments.

VMware 2V0-621
Which statement best describes how the administrator would accomplish this? A. Assign a Global Permission to the user.
B. Assign a vCenter Permission to the user.
C. Assign vsphere.local membership to the user.
D. Assign an ESXi Permission to the user.
Answer A
Global Permissions
Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies.
Each solution has a root object in its own object hierarchy. The global root object acts as a parent object to each solution object. You can assign global permissions to users or groups, and decide on the role for each user or group. The role determines the set of privileges. You can assign a predefined role or create custom roles. See Using Roles to Assign Privileges. It is important to distinguish between vCenter
Server permissions and global permissions.
- Reference: C7702E31-1623-4189-89CB-E1136AA27972.html
Question 6
In which two vsphere.local groups should an administrator avoid adding members? (Choose two.) A. SolutionUsers
B. Administrators
C. DCAdmins
D. ExternalPDUsers
Answer A, B
- Reference: 87DA2F34-DCC9-4DAB-8900-1BA35837D07E.html

VMware 2V0-621
Question 7
Which three services can be enabled/disabled in the Security Profile for an ESXi host? (Choose three.) A. CIM Server
B. Single Sign-On
C. Direct Console UI
D. Syslog Server
E. vSphere Web Access
Answer A, C, D
- Reference: 37AB1F95-DDFD-4A5D-BD49-3249386FFADE.html
Question 8
Which Advanced Setting should be created for the vCenter Server to change the expiration policy of the vpxuser password?
A. VimPasswordExpirationInDays B. VimExpirationPasswordDays C. VimPassExpirationInDays
D. VimPasswordRefreshDays
Answer A
- Reference: 96210743-0C17-4AE9-89FC-76778EC9D06E.html
Question 9
An administrator has been instructed to secure existing virtual machines in vCenter Server.
Which two actions should the administrator take to secure these virtual machines? (Choose two.)

VMware 2V0-621
A. Disable native remote management services
B. Restrict Remote Console access
C. Use Independent Non-Persistent virtual disks
D. Prevent use of Independent Non-Persistent virtual disks
Answer B, D
- Reference:
Question 10
Which two are valid Identity Sources when configuring vCenter Single Sign-On? (Choose two.) A. Radius
D. LocalOS
Answer C, D
- Reference: B23B1360-8838-4FF2-B074-71643C4CB040.html
Would you like to see more? Don't miss our 2V0-621 PDF file at: