Predefined Roles and Their Rights
Each vCloud Director predefined role contains a default set of rights required to perform operations included in common workflows. By default, all predefined global tenant roles are published to every organization in the system.
Predefined Provider Roles
By default, the provider roles that are local only to the provider organization are the System Administrator and Multisite System roles. System administrators can create additional custom provider roles.
- System Administrator
- The System Administrator role exists only in the provider organization. The System Administrator role includes all rights in the system. The System administrator credentials are established during installation and configuration. A System Administrator can create additional system administrator and user accounts in the provider organization.
- Multisite System
- Used for running the heartbeat process for multisite deployments. This role has only a single right, Multisite: System Operations, which gives a permission to make a vCloud API request that retrieves the status of the remote member of a site association.
Predefined Global Tenant Roles
By default, the predefined global tenant roles and the rights they contain are published to all organizations. System Administrators can unpublish rights and global tenant roles from individual organizations. System Administrators can edit or delete predefined global tenant roles. System administrators can create and publish additional global tenant roles.
- Organization Administrator
- After creating an organization, a System Administrator can assign the role of Organization Administrator to any user in the organization. A user with the predefined Organization Administrator role can use the vCloud Director Web Console, tenant portal, or vCloud OpenAPI to manage users and groups in their organization and assign them roles, including the predefined Organization Administrator role. Roles created or modified by an Organization Administrator are not visible to other organizations.
- Catalog Author
- The rights associated with the predefined Catalog Author role allow a user to create and publish catalogs.
- vApp Author
- The rights associated with the predefined vApp Author role allow a user to use catalogs and create vApps.
- vApp User
- The rights associated with the predefined vApp User role allow a user to use existing vApps.
- Console Access Only
- The rights associated with the predefined Console Access Only role allow a user to view virtual machine state and properties and to use the guest OS.
- Defer to Identity Provider
- Rights associated with
the predefined Defer
to Identity Provider role are determined based on information
received from the user's OAuth or SAML Identity Provider. To qualify for
inclusion when a user or group is assigned the
Defer to Identity
Provider role, a role or group name supplied by the Identity
Provider must be an exact, case-sensitive match for a role or group name
defined in your organization.
- If the user is defined by an OAuth Identity Provider, the user is assigned the roles named in the roles array of the user's OAuth token.
- If the user is defined by a SAML Identity Provider, the user is assigned the roles named in the SAML attribute whose name appears in the RoleAttributeName element, which is in the SamlAttributeMapping element in the organization's OrgFederationSettings.
Except the Defer to Identity Provider role, each predefined role includes a set of default rights. Only a System Аdministrator can modify the rights in a predefined role. If a System administrator modifies a predefined role, the modifications propagate to all instances of the role in the system.
Rights in Predefined Global Tenant Roles
Predefined roles and new
roles created by the Organization
Administrator are listed in the
RoleReferences element
of
AdminOrg response. To
view the list of rights included in a role, make a request like this one, where
org-id
is the UUID of the organization and
role-id is the UUID of
the role.
GET https://vcloud.example.com/api/admin/org/org-id/role/role-idYou can also use the adminRole query and filter on the organization UUID.
GET https://vcloud.example.com/api/query?type=adminRole&format=records&filter=org==https://vcloud.example.com/api/org/org-id
Various rights are common to multiple predefined global roles. These rights are granted by default to all new organizations, and are available for use in other roles created by the Оrganization Аdministrator.
| Right Name | Organization Administrator | Catalog Author | vApp Author | vApp User | Console Access Only |
|---|---|---|---|---|---|
| Catalog: Add a vApp from My Cloud | X | X | X | ||
| Catalog: Allow External Publishing / Subscriptions for the Catalogs | X | X | |||
| Catalog: Change Owner | X | ||||
| Catalog: Create / Delete a Catalog | X | X | |||
| Catalog: Edit Catalog Properties | X | X | |||
| Catalog: Share a Catalog to Other Organizations | X | X | |||
| Catalog: Share a Catalog to Users / Groups within Current Organization | X | X | |||
| Catalog: View Private and Shared Catalogs within Current Organization | X | X | X | ||
| Catalog: View Shared Catalogs from Other Organizations | X | ||||
| Catalog Item: Add to My Cloud | X | X | X | X | |
| Catalog Item: Copy / Move a vApp Template / Media | X | X | X | ||
| Catalog Item: Create / Upload a vApp Template / Media | X | X | |||
| Catalog Item: Edit vApp Template / Media | X | X | |||
| Catalog Item: Enable vApp Template / Media Download | X | X | |||
| Catalog Item: View vApp Templates / Media | X | X | X | X | |
| Custom Entity: View All Custom Entity Instances in Organization | X | ||||
| Custom Entity: View Custom Entity Instance | X | ||||
| Disk: Change Owner | X | X | |||
| Disk: Create a Disk | X | X | X | ||
| Disk: Delete a Disk | X | X | X | ||
| Disk: Edit Disk Properties | X | X | X | ||
| Disk: View Disk Properties | X | X | X | X | |
| Distributed Firewall: Configure Distributed Firewall Rules | X | ||||
| Distributed Firewall: Enable / Disable Distributed Firewall | X | ||||
| Distributed Firewall: View Distributed Firewall Rules | X | ||||
| Edge Cluster: View Edge Cluster | X | ||||
| Edge Cluster: Manage Edge Cluster | X | ||||
| Gateway: Configure Syslog Server | X | ||||
| Gateway: Configure System Logging | X | ||||
| Gateway: Convert to Advanced Gateway | X | ||||
| Gateway: View Gateway | X | ||||
| Gateway: Enale Distributed Routing | X | ||||
| Gateway: Import Edge Gateway | X | ||||
| Gateway Services: BGP Routing Configure | |||||
| Gateway Services: DHCP Configure | X | ||||
| Gateway Services: Firewall Configure | X | ||||
| Gateway Services: IPSEC VPN Configure | X | ||||
| Gateway Services: L2 VPN Configure | |||||
| Gateway Services: Load Balancer Configure | X | ||||
| Gateway Services: NAT Configure | X | ||||
| Gateway Services: OSPF Routing Configure | X | ||||
| Gateway Services: Remote Access Configure | X | ||||
| Gateway Services: SSL VPN Configure | X | ||||
| Gateway Services: Static Routing Configure | X | ||||
| Gateway Services: BGP Routing View Only | X | ||||
| Gateway Services: DHCP View Only | X | ||||
| Gateway Services: Firewall View Only | X | ||||
| Gateway Services: IPSEC VPN View Only | X | ||||
| Gateway Services: L2 VPN View Only | X | ||||
| Gateway Services: Load Balancer View Only | X | ||||
| Gateway Services: NAT View Only | X | ||||
| Gateway Services: OSPF Rouing View Only | X | ||||
| Gateway Services: Remote Access View Only | X | ||||
| Gateway Services: SSL VPN View Only | X | ||||
| Gateway Services: Static Routing View Only | X | ||||
| General: Administrator Control | X | ||||
| General: Administrator View | X | ||||
| General: Send Notification | X | ||||
| Hybrid Tunnel: Acquire Control Ticket | X | ||||
| Hybrid Tunnel: Acquire From-the-Cloud Tunnel Ticket | X | ||||
| Hybrid Tunnel: Acquire To-the-Cloud Tunnel Ticket | X | ||||
| Hybrid Tunnel: Create From-the-Cloud Tunnel | X | ||||
| Hybrid Tunnel: Create To-the-Cloud Tunnel | X | ||||
| Hybrid Tunnel: Delete From-the-Cloud Tunnel | X | ||||
| Hybrid Tunnel: Delete To-the-Cloud Tunnel | X | ||||
| Hybrid Tunnel: Update From-the-Cloud Tunnel Endpoint Tag | X | ||||
| Hybrid Tunnel: View the Cloud Tunnel Server Settings | X | ||||
| Hybrid Tunnel: View From-the-Cloud Tunnel | X | ||||
| Hybrid Tunnel: View To-the-Cloud Tunnel | X | ||||
| Organization: Allow Access to All Organization VDCs | X | ||||
| Organization: Edit Access Control List of Organization VDCs | X | ||||
| Organization: Edit Federation Settings | X | ||||
| Organization: Edit Leases Policy | X | ||||
| Organization: Edit Organization Associations | X | ||||
| Organization: Edit Organization Network Properties | X | ||||
| Organization: Edit Organization OAuth Settings | X | ||||
| Organization: Edit Organization Properties | X | ||||
| Organization: Edit Password Policy | X | ||||
| Organization: Edit Quotas Policy | X | ||||
| Organization: Edit SMTP Settings | X | ||||
| Organization: Implicitly Import User/Group from IdP while Editing VDC ACL | X | ||||
| Organization: View Access Control List of Organization VDCs | X | ||||
| Organization: View Catalog ACL | X | X | |||
| Organization: View Organization Networks | X | ||||
| Organization: View Organizations | X | X | X | ||
| Organization: View vApp ACL | X | X | X | X | |
| Organization VDC: Edit Organization VDC Name and Description | X | ||||
| Organization VDC: Edit VM-VM Affinity Rule | X | X | X | ||
| Organization VDC: Edit Organization VDC Extended Properties | X | ||||
| Organization VDC: Manage Firewall | X | ||||
| Organization VDC: Set Default Storage Policy | X | ||||
| Organization VDC: View Compute Policies for an Organization VDC | X | X | X | X | |
| Organization VDC: View Organization VDC Extended Properties | X | ||||
| Organization VDC Network: View Properties | X | ||||
| Organization VDC Network: Edit Properties | X | ||||
| Organization VDC Network: Import Network | X | ||||
| Organization VDC: View Organization VDCs | X | ||||
| Organization VDC Template: Instantiate Organization VDC templates | X | ||||
| Organization VDC Template: View VDC templates | X | ||||
| Provider Network: View Provider Network | X | ||||
| Provider Network: Create / Delete Provider Network | X | ||||
| Role: Create / Update / Delete a Role | X | ||||
| Service Library: View Services Making Up the Service Library | X | ||||
| User: View Group / User | X | ||||
| VCD Extension: View Tenant Portal Plugin Information | X | X | X | X | |
| VDC Group: View VDC Group | X | ||||
| VDC Group: Configure VDC Group | X | ||||
| VM Monitoring: View historic metrics for the Organization | X | ||||
| VM Monitoring: View historic metrics for the Organization VDC | X | ||||
| vApp: Access to VM Console | X | X | X | X | X |
| vApp: Allow Metadata Mapping Domain to vCenter Server | X | X | X | ||
| vApp: Change Owner | X | ||||
| vApp: Change vApp Template Owner | X | X | |||
| vApp: Copy a vApp | X | X | X | X | |
| vApp: Create / Reconfigure vApp | X | X | X | ||
| vApp: Create / Revert / Remove / a Snapshot | X | X | X | X | |
| vApp: Delete a vApp | X | X | X | X | |
| vApp: Download a vApp | X | X | X | ||
| vApp: Edit / View VM Boot Options | X | X | X | ||
| vApp: Edit VM CPU | X | X | X | ||
| vApp: Edit VM Hard Disk | X | X | X | ||
| vApp: Edit VM Memory | X | X | X | ||
| vApp: Edit VM Network | X | X | X | X | |
| vApp: Edit VM Properties | X | X | X | X | |
| vApp: Edit vApp Properties | X | X | X | X | |
| vApp: Edit VM Compute Policy | X | X | X | ||
| vApp: Manage VM Password Settings | X | X | X | X | X |
| vApp: Share a vApp | X | X | X | X | |
| vApp: Start / Stop / Suspend / Reset a vApp | X | X | X | X | |
| vApp: Upload a vApp | X | X | X | ||
| vApp: View VM metrics | X | X | X |
For information about the new rights that vCloud Director 9.7 introduces, see New Rights in This Release.