A) Explanation: Authentication and authorization govern access.vCenter Single Sign-Onsupports authentication, which means it determines whether a user can access vSphere components at all. Each user must also be authorized to view or manipulate vSphere objects. vSphere supports several different authorization mechanisms, discussed inUnderstanding Authorization in vSphere. The focus of the information in this section is how thevCenter Serverpermission model works and how to perform user management tasks. vCenter Serverallows fine-grained control over authorization with permissions and roles. When you assign a permission to an object in thevCenter Serverobject hierarchy, you specify which user or group has which privileges on that object. To specify the privileges, you use roles, which are sets of privileges. Initially, only the administrator user for the vCenter Single Sign-On domain, administrator@vsphere.local by default, is authorized to log in to thevCenter Serversystem. That user can then proceed as follows: Add an identity source in which users and groups are defined tovCenter Single Sign-On. See thePlatform Services Controller Administrationdocumentation. Give privileges to a user or group by selecting an object such as a virtual machine or avCenter Serversystem and assigning a role on that object for the user or group.