Managing Rights and Roles

A right is the fundamental unit of access control in vCloud Director. A role associates a role name with a set of rights. Each organization can have different rights and roles.

vCloud Director uses roles and their associated rights to determine whether a user or group is authorized to perform an operation. Many of the procedures documented in the vCloud Director guides include a prerequisite role. These prerequisites assume that the named role is the unmodified predefined role or a role that includes an equivalent set of rights.

vCloud Director 9.5 introduces rights bundles and global tenant roles which system administrators can use to manage the rights and roles that are available to each organization.

After you install vCloud Director, the system contains only the System Rights Bundle, which includes all rights that are available in the system. The System Rights Bundle is not published to any organization. The system also contains built-in global tenant roles that are published to all organizations. For information about the predefined roles, see Predefined Roles and Their Rights.

After you upgrade vCloud Director from version 9.1 or earlier, in addition to the System Rights Bundle, the system contains a Legacy Rights Bundle for each existing organization. Each Legacy Rights Bundle includes the rights that are available in the associated organization at the time of the upgrade and is published only to this organization.

Note

To begin using the rights bundles model for an existing organization, you must delete the corresponding Legacy Rights Bundle.

If you upgraded vCloud Director from version 9.1 or earlier, the existing role templates are published to all organizations as global tenant roles, and the existing roles that are unlinked from role templates are available as tenant-specific roles to their organizations.

Important

Some vCloud APIs for managing rights and roles are under accelerated deprecation. See vCloud API Programming Guide for Service Providers.

vCloud Director 9.5 introduces OpenAPIs for managing rights and roles. For information about the vCloud OpenAPI, see Getting Started with vCloud OpenAPI at https://code.vmware.com.

Rights Terminology

Right	Each right provides view or manage access to a particular object type in vCloud Director. Rights belong to different categories depending on the objects to which they relate, for example, vApp, Catalog, Organization, and so on. The Provider organization contains all rights available in the system. The system administrator defines the rights that are available to each organization. You cannot create or modify the rights included in vCloud Director. Note You can create and modify rights associated with extension services, but not those associated with vCloud Director. See Create a Service-Specific Right
Rights Bundle	System administrators can use rights bundles to manage the rights that are available to each organization. A rights bundle is a set of rights that the system administrator can publish to one or more organizations. The system administrator can create and publish rights bundles that correspond to tiers of service, separately monetizable functionality, or any other arbitrary rights grouping. Only system administrators can view and manage the rights bundles. You can publish multiple bundles to the same organization.
Organization Rights	Organization rights are the full set of rights that are available to an organization. Organization rights can comprise multiple rights bundles, but the organization administrators and users see a flat set of rights that they can use to create and modify tenant-specific roles.

Roles Terminology

Role	A role is a set of rights that is assignable to one or more users and groups. When you create or import a user or group, you must assign it a role.
Provider Roles	Provider roles are the set of roles that are available only to the Provider organization. Provider roles can be assigned only to Provider users. System administrators can create custom provider roles.
Tenant Roles	Tenant roles are the set of roles available to an organization. System administrators can create and edit global tenant roles and publish them to one or more organizations. Global tenant roles can be assigned to tenant users in the organizations to which they are published. Organization administrators cannot edit global tenant roles. Note Tenant users can use only those rights from their roles that are published to their organizations.
Tenant-Specific Roles	Organization administrators can create and edit tenant-specific roles, which are local to their organizations. Tenant-specific roles can be assigned only to tenant users in the organization to which they belong. Tenant-specific roles can contain a subset of the organization rights only. For information about managing tenant-specific roles, see vCloud Director Tenant Portal Guide.

Subtopics

Predefined Roles and Their Rights

Create a Role in Your Organization

View or Modify Role Template Linkage

Related concepts

Controlling Access to vApps and Catalogs