diff --git a/docs/user/vsphere/privileges.md b/docs/user/vsphere/privileges.md
index 43ac92d7782..cfd23789d90 100644
--- a/docs/user/vsphere/privileges.md
+++ b/docs/user/vsphere/privileges.md
@@ -7,14 +7,14 @@ If the provided user has global admin privileges, no further action for permissi
The tables below describe the absolute minimal set of privileges to install and run OpenShift including Machine management and the vSphere Storage provider.
-### Fundamental Privileges
+### Fundamental (minimum) Privileges
-These privileges are necessary for OpenShift clusters on vSphere and are sufficient to install into an existing virtual machine folder. The privileges in the next section are necessary for the installer to provision a folder, which is the default behavior if no folder is specified in the install config.
+These privileges are necessary for OpenShift clusters on vSphere and are sufficient to install into an existing virtual machine folder and an existing resource pool. The privileges in the next section are necessary for the installer to provision a folder, which is the default behavior if no folder is specified in the install config. The priviliges in the third section are necessary for the installer to create VMs in the root of the cluster, which is the default behavior if no resource pool is specified in the install config.
Role Name | vSphere object | Privilege Set
--- | --- | ---
openshift-vcenter-level | vSphere vCenter | Cns.Searchable
InventoryService.Tagging.AttachTag
InventoryService.Tagging.CreateCategory
InventoryService.Tagging.CreateTag
InventoryService.Tagging.DeleteCategory
InventoryService.Tagging.DeleteTag
InventoryService.Tagging.EditCategory
InventoryService.Tagging.EditTag
Sessions.ValidateSession
StorageProfile.View
-openshift-cluster-level | vSphere vCenter Cluster | Host.Config.Storage
Resource.AssignVMToPool
VApp.AssignResourcePool
VApp.Import
VirtualMachine.Config.AddNewDisk
+openshift-resourcepool-level | vSphere vCenter Resource Pool | Host.Config.Storage
Resource.AssignVMToPool
VApp.AssignResourcePool
VApp.Import
VirtualMachine.Config.AddNewDisk
openshift-datastore-level| vSphere Datastore | Datastore.AllocateSpace
Datastore.Browse
Datastore.FileManagement
openshift-portgroup-level | vSphere Port Group | Network.Assign
openshift-folder-level| Virtual Machine Folder | Resource.AssignVMToPool
VApp.Import
VirtualMachine.Config.AddExistingDisk
VirtualMachine.Config.AddNewDisk
VirtualMachine.Config.AddRemoveDevice
VirtualMachine.Config.AdvancedConfig
VirtualMachine.Config.Annotation
VirtualMachine.Config.CPUCount
VirtualMachine.Config.DiskExtend
VirtualMachine.Config.DiskLease
VirtualMachine.Config.EditDevice
VirtualMachine.Config.Memory
VirtualMachine.Config.RemoveDisk
VirtualMachine.Config.Rename
VirtualMachine.Config.ResetGuestInfo
VirtualMachine.Config.Resource
VirtualMachine.Config.Settings
VirtualMachine.Config.UpgradeVirtualHardware
VirtualMachine.Interact.GuestControl
VirtualMachine.Interact.PowerOff
VirtualMachine.Interact.PowerOn
VirtualMachine.Interact.Reset
VirtualMachine.Inventory.Create
VirtualMachine.Inventory.CreateFromExisting
VirtualMachine.Inventory.Delete
VirtualMachine.Provisioning.Clone
@@ -29,13 +29,35 @@ Role Name | vSphere object | Privilege Set
--- | --- | ---
openshift-datacenter-level| vSphere vCenter Datacenter | Resource.AssignVMToPool
VApp.Import
VirtualMachine.Config.AddExistingDisk
VirtualMachine.Config.AddNewDisk
VirtualMachine.Config.AddRemoveDevice
VirtualMachine.Config.AdvancedConfig
VirtualMachine.Config.Annotation
VirtualMachine.Config.CPUCount
VirtualMachine.Config.DiskExtend
VirtualMachine.Config.DiskLease
VirtualMachine.Config.EditDevice
VirtualMachine.Config.Memory
VirtualMachine.Config.RemoveDisk
VirtualMachine.Config.Rename
VirtualMachine.Config.ResetGuestInfo
VirtualMachine.Config.Resource
VirtualMachine.Config.Settings
VirtualMachine.Config.UpgradeVirtualHardware
VirtualMachine.Interact.GuestControl
VirtualMachine.Interact.PowerOff
VirtualMachine.Interact.PowerOn
VirtualMachine.Interact.Reset
VirtualMachine.Inventory.Create
VirtualMachine.Inventory.CreateFromExisting
VirtualMachine.Inventory.Delete
VirtualMachine.Provisioning.Clone
Folder.Create
Folder.Delete
+### Resources installed in root of cluster (no resource pool)
+
+Including the role-set above one additional role needs to be created if the installer is to create VMs in the root of the cluster. Note that the privileges applied at the cluster-level in this case are the same as those applied at the resource-pool-level above.
+
+Role Name | vSphere object | Privilege Set
+--- | --- | ---
+openshift-cluster-level | vSphere vCenter Cluster | Host.Config.Storage
Resource.AssignVMToPool
VApp.AssignResourcePool
VApp.Import
VirtualMachine.Config.AddNewDisk
+
## Permission assignments
The easiest way to ensure proper permissions is to grant Global Permissions to the user with the privileges above. Otherwise, it is necessary to ensure that the user with the listed privileges has permissions granted on all necessary entities in the vCenter.
For more information, consult [vSphere Permissions and User Management Tasks][vsphere-perms]
-### Precreated virtual machine folder
+### Precreated virtual machine folder and resource pool
+
+Role Name | Propagate | Entity
+--- | --- | ---
+openshift-vcenter-level | False | vSphere vCenter
+ReadOnly | False | vSphere vCenter Datacenter
+ReadOnly | True | vSphere vCenter Cluster
+openshift-resourcepool-level | True | vSphere vCenter Resource Pool
+openshift-datastore-level | False | vSphere vCenter Datastore
+ReadOnly | False | vSphere Switch
+openshift-portgroup-level | False | vSphere Port Group
+openshift-folder-level | True | vSphere vCenter Virtual Machine folder
+
+
+### Precreated virtual machine folder without resource pool
Role Name | Propagate | Entity
--- | --- | ---
@@ -48,7 +70,7 @@ openshift-portgroup-level | False | vSphere Port Group
openshift-folder-level | True | vSphere vCenter Virtual Machine folder
-### Installer created virtual machine folder
+### Installer created virtual machine folder without resource pool
Role Name | Propagate | Entity
--- | --- | ---
openshift-vcenter-level | False | vSphere vCenter