Predefined Roles and Their Rights

The System Administrator Role

The system administrator role exists only in the System organization. The System organization and system administrator role include all rights. System administrator credentials are established during installation and configuration. A system administrator can create additional system administrator accounts. All system administrators are members of the System organization.

You cannot modify the rights associated with the System Administrator role. A system administrator can use the vCloud Director Web Console or the vCloud API to create or update other role objects in any organization in the system.

Predefined Roles

Predefined roles and the rights they contain are available in all organizations.

Each predefined role is initially linked to a role template that specifies the set of rights in the role. You cannot create new role templates or new predefined roles, but you can unlink a role in your organization from the template on which it was based. Unlinking a predefined role in your organization from its template prevents the role from being affected if a system administrator edits the set of rights in the template by modifying the predefined role. You can also re-link an unlinked role in your organization to its template. See View or Modify Role Template Linkage.

Organization Administrator

After creating an organization, a system administrator can assign the role of organization administrator to any user in the organization. A user with the predefined Organization Administrator role can use the vCloud Director Web Console or the vCloud API to manage users and groups in their organization and assign them roles, including the predefined Organization Administrator role. An organization administrator can use the vCloud API to create or update role objects that are local to the organization. Roles created or modified by an organization administrator are not visible to other organizations.

Catalog Author

The rights associated with the predefined Catalog Author role allow a user to create and publish catalogs.

vApp Author

The rights associated with the predefined vApp Author role allow a user to use catalogs and create vApps.

vApp User

The rights associated with the predefined vApp User role allow a user to use existing vApps.

Console Access Only

The rights associated with the predefined Console Access Only role allow a user to view virtual machine state and properties and to use the guest OS.

Defer to Identity Provider

Rights associated with the predefined Defer to Identity Provider role are determined based on information received from the user's OAuth or SAML Identity Provider. To qualify for inclusion when a user or group is assigned the Defer to Identity Provider role, a role or group name supplied by the Identity Provider must be an exact, case-sensitive match for a role or group name defined in your organization.

■	If the user is defined by an OAuth Identity Provider, the user will be assigned the roles named in the roles array of the user's OAuth token.
■	If the user is defined by a SAML Identity Provider, the user will be assigned the roles named in the SAML attribute whose name appears in the RoleAttributeName element in the organization's OrgFederationSettings.

If a user is assigned the Defer to Identity Provider role but no matching role or group name is available in your organization, the user can log in to the organization but has no rights. If an Identity Provider associates a user with a system-level role such as System Administrator, the user can log in to the organization but has no rights. You must manually assign a role to such users.

With the exception of the Defer to Identity Provider role, each predefined role includes a set of default rights. Only a system administrator can modify the rights in a predefined role. If a system administrator modifies a predefined role, the modifications propagate to all instances of the role in the system.

Rights in Predefined Roles

Predefined roles and new roles created by the organization administrator are listed in the RoleReferences element of AdminOrg response. To view the list of rights included in a role, make a request like this one, where org-id is the UUID of the organization and role-id is the UUID of the role.

GET https://vcloud.example.com/api/admin/org/org-id/role/role-id

You can also use the adminRole query and filter on the organization UUID.

GET https://vcloud.example.com/api/query?type=adminRole&format=records&filter=org==https://vcloud.example.com/api/org/org-id

Rights Included in Multiple Predefined Roles

A number of rights are common to many predefined roles. These rights are granted by default to all new organizations, and are available for use in other roles created by the organization administrator.

Rights Included in Multiple Predefined Roles
Right Name	Description	Organization Administrator	Catalog Author	vApp Author	vApp User	Console Access Only
Catalog: Add vApp from My Cloud	Permission to add a vApp from My Cloud to a catalog in my organization.	X	X	X
Catalog: CLSP Publish Subscribe	Permission to publish catalogs for external consumption and to subscribe to external catalog feeds. Organization must be configured to allow publishing externally, subscribing to external catalogs, or both.	X	X
Catalog: Create / Delete a Catalog	Permission to create and delete catalogs.	X	X
Catalog: Edit Properties	Permission to edit catalog properties.	X	X
Catalog: Publish	Permission to share catalogs with users and groups in other organizations. Organization must be configured to allow sharing catalogs with other organizations.	X	X
Catalog: Sharing	Permission to share catalogs to users and groups in the same organization.	X	X
Catalog: View ACL	Permission to view the access control list of any catalog in the organization.	X	X
Catalog: View Private and Shared Catalogs	Permission to view both private and shared catalogs in the organization.	X	X	X
Disk: Create	Permission to create independent disks.	X	X	X
Disk: Delete	Permission to delete independent disks.	X	X	X
Disk: Edit Properties	Permission to edit the properties of an independent disk.	X	X	X
Disk: View Properties	Permission to view the properties of an independent disk.	X	X	X	X
Organization vDC: View	Permission to view all VDCs in the organization.	X	X
Organization vDC: VM-VM Affinity Edit	Permission to edit VM-VM affinity for VMs in all VDCs in the organization.	X	X
Organization: View	Permission to view organization contents.	X	X	X
vApp Template / Media: Copy	Permission to copy or move catalog items (vApp templates or media).	X	X	X
vApp Template / Media: Create / Upload	Permission to create or upload catalog items (vApp templates or media).	X	X
vApp Template / Media: Edit	Permission to modify catalog items (vApp templates or media).	X	X
vApp Template / Media: View	Permission to view catalog items (vApp templates or media).	X	X	X	X
vApp Template: Checkout	Permission to use a vApp template to create a vApp in My Cloud.	X	X	X	X
vApp Template: Download	Permission to download a vApp template as an OVF package.	X	X
vApp: Change Owner	Permission to change the owner of a vApp.	X	X
vApp: Copy	Permission to make a copy of a vApp.	X	X	X	X
vApp: Create / Reconfigure	Permission to create and reconfigure vApps.	X	X	X
vApp: Delete	Permission to delete a vApp.	X	X	X	X
vApp: Download	Permission to download a vApp as an OVF package.	X	X	X
vApp: Edit Properties	Permission to edit vApp general properties.	X	X	X	X
vApp: Edit VM CPU	Permission to edit vApp CPU properties.	X	X	X
vApp: Edit VM Hard Disk	Permission to edit vApp hard disk properties.	X	X	X
vApp: Edit VM Memory	Permission to edit vApp memory properties.	X	X	X	X
vApp: Edit VM Network	Permission to edit vApp network properties.	X	X	X	X
vApp: Edit VM Properties	Permission to edit VM general properties.	X	X	X	X
vApp: Manage VM Password Settings	Permission to modify VM passwords.	X	X	X	X	X
vApp: Power Operations	Permission to change VM power state.	X	X	X	X
vApp: Sharing	Permission to share a vApp with other members of the organization.	X	X	X	X
vApp: Snapshot Operations	Permission to create, delete, and revert to a vApp snapshot.	X	X	X	X
vApp: Upload	Permission to upload an OVF package as a vApp.	X	X	X
vApp: Use Console	Permission to open a console connection to a VM in a vApp.	X	X	X	X	X
vApp: View ACL	Permission to view the access control list of a vApp.	X		X
vApp: View VM metrics	Permission to view current metrics of VMs in a vApp.	X		X	X
vApp: VM Boot Options	Permission to edit vApp boot options such as boot delay and recustomization.	X	X	X
vApp: Allow metadata mapping domain to vCenter	Permission to create or update vApp object metadata in the VCENTER domain	X	X	X
VCD Extension: View Tenant Portal Plugin Information	Permission to view plug-ins available for the vCloud Director Tenant Portal	X	X	X	X

Additional Rights Included in the Predefined Organization Administrator Role

The following additional rights are included in the predefined organization administrator role. They are not included in any other predefined role except system administrator. These rights are granted by default to all new organizations, and are available for use in other roles created by the organization administrator.

Additional Rights Included in the Predefined Organization Administrator Role
Right Name	Description
Access All Organization VDCs	Permission to view and modify all VDCs in the organization.
Catalog: Change Owner	Permission to change to owner of any catalog in the organization
Catalog: View Published Catalogs	Permission to view catalogs shared from other organizations.
Disk: Change Owner	Permission to change the owner of an independent disk.
General: Administrator Control	Permission to modify objects in the organization.
General: Administrator View	Permission to view objects in the organization.
General: Send Notification	Permission to configure notifications sent to members of the organization.
Group / User: View	Permission to view local users and groups.
Hybrid Cloud Operations: Acquire control ticket	This right is required by certain vCloud Director hybrid extensions.
Hybrid Cloud Operations: Acquire from-the-cloud tunnel ticket	This right is required by certain vCloud Director hybrid extensions.
Hybrid Cloud Operations: Acquire to-the-cloud tunnel ticket	This right is required by certain vCloud Director hybrid extensions.
Hybrid Cloud Operations: Create from-the-cloud tunnel	This right is required by certain vCloud Director hybrid extensions.
Hybrid Cloud Operations: Create to-the-cloud tunnel	This right is required by certain vCloud Director hybrid extensions.
Hybrid Cloud Operations: Delete from-the-cloud tunnel	This right is required by certain vCloud Director hybrid extensions.
Hybrid Cloud Operations: Delete to-the-cloud tunnel	This right is required by certain vCloud Director hybrid extensions.
Hybrid Cloud Operations: Update from-the-cloud tunnel endpoint tag	This right is required by certain vCloud Director hybrid extensions.
Hybrid Cloud Operations: View from-the-cloud tunnel	This right is required by certain vCloud Director hybrid extensions.
Hybrid Cloud Operations: View to-the-cloud tunnel	This right is required by certain vCloud Director hybrid extensions.
Organization Network: Edit Properties	Permission to modify properties of an organization VDC network.
Organization Network: View	Permission to view properties of an organization VDC network.
Organization vDC Distributed Firewall: Configure Rules	Advanced networking right. See "NSX Distributed Firewall Service" in the vCloud Director API for NSX Programming Guide.
Organization vDC Distributed Firewall: View Rules	Advanced networking right. See "NSX Distributed Firewall Service" in the vCloud Director API for NSX Programming Guide.
Organization vDC Gateway: Configure DHCP	Advanced networking right. See "Edge DHCP Services" in the vCloud Director API for NSX Programming Guide.
Organization vDC Gateway: Configure Firewall	Advanced networking right. See "NSX Distributed Firewall Service" in the vCloud Director API for NSX Programming Guide.
Organization vDC Gateway: Configure Load Balancer	Advanced networking right. See "Edge Load Balancer Services" in the vCloud Director API for NSX Programming Guide.
Organization vDC Gateway: Configure NAT	Advanced networking right. See "Edge NAT Services" in the vCloud Director API for NSX Programming Guide.
Organization vDC Gateway: Configure IPsec VPN	Advanced networking right. See "Edge IPSec VPN Services" in the vCloud Director API for NSX Programming Guide.
Organization vDC Gateway: Configure Static Routing	Advanced networking right. See "Edge Routing Services" in the vCloud Director API for NSX Programming Guide.
Organization vDC Gateway: Configure Syslog	Advanced networking right. See "Edge Interfaces, Logging, Statistics, and Remote Access Properties" in the vCloud Director API for NSX Programming Guide.
Organization vDC Gateway: Convert to Advanced Networking	Permission to convert an Edge Gateway to Advanced Networking.
Organization vDC Gateway: View	Advanced networking right. See "NSX Edge Gateway Management" in the vCloud Director API for NSX Programming Guide.
Organization vDC Network: Edit Properties	Permission to modify the properties of an organization VDC network. See Configure Edge Gateway Services.
Organization vDC Network: View Properties	Permission to view the properties of an organization VDC network. See Configure Edge Gateway Services.
Organization vDC Storage Profile: Set Default	Permission to change the default storage profile for an organization VDC. See Update Organization VDC Storage Profiles.
Organization vDC: Edit	Permission to change the configuration of an organization VDC.
Organization vDC: Edit ACL	Permission to create or update VDC access controls. See Apply Access Controls to a VDC.
Organization vDC: Manage Firewall	Permission to manage firewall rules on an Edge Gateway that is not an advanced gateway.
Organization vDC: View ACL	Permission to view VDC access controls. See Apply Access Controls to a VDC.
Organization: Edit Association Settings	Permission to create or modify an association with another organization. See Configuring and Managing Multisite Deployments.
Organization: Edit Federation Settings	Permission to modify organization federation (IDP) settings. See Retrieve or Update Organization Settings.
Organization: Edit Leases Policy	Permission to modify default storage and runtime leases for vApps. See Retrieve or Update Organization Settings.
Organization: Edit OAuth Settings	Permission to create or modify organization OAUTH IDP settings. See Configuring and Managing Federation with OAuth.
Organization: Edit Password Policy	Permission to create or modify organization password policies. See Retrieve or Update Organization Settings.
Organization: Edit Properties	Permission to modify organization properties.
Organization: Edit Quotas Policy	Permission to modify organization quotas for VMs. See Retrieve or Update Organization Settings.
Organization: Edit SMTP Settings	Permission to modify organization SMTP (e-mail) policies. See Retrieve or Update Organization Settings.
Organization: Import User/Group from IdP while Editing VDC ACL	Unused by vCloud Director
Role: Create, Edit, Delete, or Copy	Permission to create or modify roles in your organization. Permission to change the default storage profile for an organization VDC. See Create a Role in Your Organization.
VDC Template: Instantiate	Permission to create an organization VDC from a template. See Create a VDC from a Template.
VDC Template: View	Permission to view an organization VDC template. See Create a VDC from a Template.