VMware controls the access rights based on the principle of least privilege, which means only the minimum level of access required is granted. Access is provided according to the individual job functions and requirements. Appropriate levels of management authorize the access rights to computers and information systems and before the rights are granted. Managing access to information systems is implemented and controlled through centralized identity stores and directories.

The VMware Security Operations Center uses log capture, security monitoring technologies, and intrusion detection tools to monitor VMware personnel accessing customer data. Only authorized VMware operators access the customer data. The authentication process uses a two-factor authentication process and generates a user-specific time-based temporary credential. This temporary credential is tied to a specific incident, and all activities performed by this user is logged. The log information is disclosed to the customer upon request.

The third parties cannot access the production environment or customer content. If customers have questions about a specific individual accessing their environment, VMware investigates this activity.