Predefined Roles and Their Rights

Each vCloud Director predefined role contains a default set of rights required to perform operations included in common workflows. By default, all predefined global tenant roles are published to every organization in the system.

Predefined Provider Roles

By default, the provider roles that are local only to the provider organization are the System Administrator and Multisite System roles. System administrators can create additional custom provider roles.

System Administrator	The System Administrator role exists only in the provider organization. The System Administrator role includes all rights in the system. The System administrator credentials are established during installation and configuration. A System Administrator can create additional system administrator and user accounts in the provider organization.
Multisite System	Used for running the heartbeat process for multisite deployments. This role has only a single right, Multisite: System Operations, which gives a permission to make a vCloud API request that retrieves the status of the remote member of a site association.

Predefined Global Tenant Roles

By default, the predefined global tenant roles and the rights they contain are published to all organizations. System Administrators can unpublish rights and global tenant roles from individual organizations. System Administrators can edit or delete predefined global tenant roles. System administrators can create and publish additional global tenant roles.

Each predefined role is initially linked to a role template that specifies the set of rights in the role. You cannot create role templates or new predefined roles, but you can unlink a role in your organization from the template on which it was based. Unlinking a predefined role in your organization from its template prevents the role from being affected if a system administrator edits the set of rights in the template by modifying the predefined role. You can also relink an unlinked role in your organization to its template. See View or Modify Role Template Linkage.

Organization Administrator

After creating an organization, a System Administrator can assign the role of Organization Administrator to any user in the organization. A user with the predefined Organization Administrator role can use the vCloud Director Web Console, tenant portal, or vCloud OpenAPI to manage users and groups in their organization and assign them roles, including the predefined Organization Administrator role. Roles created or modified by an Organization Administrator are not visible to other organizations.

Catalog Author

The rights associated with the predefined Catalog Author role allow a user to create and publish catalogs.

vApp Author

The rights associated with the predefined vApp Author role allow a user to use catalogs and create vApps.

vApp User

The rights associated with the predefined vApp User role allow a user to use existing vApps.

Console Access Only

The rights associated with the predefined Console Access Only role allow a user to view virtual machine state and properties and to use the guest OS.

Defer to Identity Provider

Rights associated with the predefined Defer to Identity Provider role are determined based on information received from the user's OAuth or SAML Identity Provider. To qualify for inclusion when a user or group is assigned the Defer to Identity Provider role, a role or group name supplied by the Identity Provider must be an exact, case-sensitive match for a role or group name defined in your organization.

■	If the user is defined by an OAuth Identity Provider, the user is assigned the roles named in the roles array of the user's OAuth token.
■	If the user is defined by a SAML Identity Provider, the user is assigned the roles named in the SAML attribute whose name appears in the RoleAttributeName element, which is in the SamlAttributeMapping element in the organization's OrgFederationSettings.

If a user is assigned the Defer to Identity Provider role but no matching role or group name is available in your organization, the user can log in to the organization but has no rights. If an Identity Provider associates a user with a system-level role such as System Administrator, the user can log in to the organization but has no rights. You must manually assign a role to such users.

Except the Defer to Identity Provider role, each predefined role includes a set of default rights. Only a System Аdministrator can modify the rights in a predefined role. If a System administrator modifies a predefined role, the modifications propagate to all instances of the role in the system.

Rights in Predefined Global Tenant Roles

Predefined roles and new roles created by the Organization Administrator are listed in the RoleReferences element of AdminOrg response. To view the list of rights included in a role, make a request like this one, where org-id is the UUID of the organization and role-id is the UUID of the role.

GET https://vcloud.example.com/api/admin/org/org-id/role/role-id

You can also use the adminRole query and filter on the organization UUID.

GET https://vcloud.example.com/api/query?type=adminRole&format=records&filter=org==https://vcloud.example.com/api/org/org-id

Various rights are common to multiple predefined global roles. These rights are granted by default to all new organizations, and are available for use in other roles created by the Оrganization Аdministrator.

Rights Included in the Global Tenant Roles in vCloud Director
Right Name	Organization Administrator	Catalog Author	vApp Author	vApp User	Console Access Only
Catalog: Add a vApp from My Cloud	X	X	X
Catalog: Allow External Publishing / Subscriptions for the Catalogs	X	X
Catalog: Change Owner	X
Catalog: Create / Delete a Catalog	X	X
Catalog: Edit Catalog Properties	X	X
Catalog: Share a Catalog to Other Organizations	X	X
Catalog: Share a Catalog to Users / Groups within Current Organization	X	X
Catalog: View Private and Shared Catalogs within Current Organization	X	X	X
Catalog: View Shared Catalogs from Other Organizations	X		Х
Catalog Item: Add to My Cloud	X	X	X	X
Catalog Item: Copy / Move a vApp Template / Media	X	X	X
Catalog Item: Create / Upload a vApp Template / Media	X	X	X
Catalog Item: Edit vApp Template / Media	X	X
Catalog Item: Enable vApp Template / Media Download	X	X	X
Catalog Item: View vApp Templates / Media	X	X	X	X
Custom Entity: View All Custom Entity Instances in Organization	X
Custom Entity: View Custom Entity Instance	X
Disk: Change Owner	X	X
Disk: Create a Disk	X	X	X
Disk: Delete a Disk	X	X	X
Disk: Edit Disk Properties	X	X	X
Disk: View Disk Properties	X	X	X	X
Distributed Firewall: Configure Distributed Firewall Rules	X
Distributed Firewall: View Distributed Firewall Rules	X
Gateway: Configure Syslog Server	X
Gateway: Convert to Advanced Gateway	X
Gateway: View Gateway	X
Gateway Services: DHCP Configure	X
Gateway Services: Firewall Configure	X
Gateway Services: IPSEC VPN Configure	X
Gateway Services: Load Balancer Configure	X
Gateway Services: NAT Configure	X
Gateway Services: Static Routing Configure	X
General: Administrator Control	X
General: Administrator View	X
General: Send Notification	X
Hybrid Tunnel: Acquire Control Ticket	X
Hybrid Tunnel: Acquire From-the-Cloud Tunnel Ticket	X
Hybrid Tunnel: Acquire To-the-Cloud Tunnel Ticket	X
Hybrid Tunnel: Create From-the-Cloud Tunnel	X
Hybrid Tunnel: Create To-the-Cloud Tunnel	X
Hybrid Tunnel: Delete From-the-Cloud Tunnel	X
Hybrid Tunnel: Delete To-the-Cloud Tunnel	X
Hybrid Tunnel: Update From-the-Cloud Tunnel Endpoint Tag	X
Hybrid Tunnel: View From-the-Cloud Tunnel	X
Hybrid Tunnel: View To-the-Cloud Tunnel	X
Network: Edit Properties
Network: View Properties
Organization: Allow Access to All Organization VDCs	X
Organization: Edit Access Control List of Organization VDCs	X
Organization: Edit Federation Settings	X
Organization: Edit Leases Policy	X
Organization: Edit Organization Associations	X
Organization: Edit Organization Network Properties	X
Organization: Edit Organization OAuth Settings	X
Organization: Edit Organization Properties	X
Organization: Edit Password Policy	X
Organization: Edit Quotas Policy	X
Organization: Edit SMTP Settings	X
Organization: Implicitly Import User/Group from IdP while Editing VDC ACL	X
Organization: View Access Control List of Organization VDCs	X
Organization: View Catalog ACL	X	X
Organization: View Organization Networks	X
Organization: View Organizations	X	X	X
Organization: View vApp ACL	X		X
Organization vDC: Edit Organization VDC Name and Description	X
Organization vDC: Edit VM-VM Affinity Rule	X	X	X
Organization vDC: Manage Firewall	X
Organization vDC: Set Default Storage Policy	X
Organization vDC: View Compute Policies for an Organization VDC	X		X	X
Organization vDC: View Organization VDCs	X
Role: Create / Update / Delete a Role	X
Service Library: View Services Making Up the Service Library	X
User: View Group / User	X
VCD Extension: View Tenant Portal Plugin Information	X	X	X	X
VDC Template: Instantiate Organization VDC Templates	X
VDC Template: View Organization VDC Templates	X
VM Monitoring: View historic metrics for the Organization	X
VM Monitoring: View historic metrics for the Organization VDC	X
vApp: Access to VM Console	X	X	X	X	X
vApp: Allow Metadata Mapping Domain to vCenter Server	X	X	X
vApp: Change Owner	X
vApp: Change vApp Template Owner	X	X
vApp: Copy a vApp	X	X	X	X
vApp: Create / Reconfigure vApp	X	X	X
vApp: Create / Revert / Remove / a Snapshot	X	X	X	X
vApp: Delete a vApp	X	X	X	X
vApp: Download a vApp	X	X	X
vApp: Edit / View VM Boot Options	X	X	X
vApp: Edit VM CPU	X	X	X
vApp: Edit VM Hard Disk	X	X	X
vApp: Edit VM Memory	X	X	X
vApp: Edit VM Network	X	X	X	X
vApp: Edit VM Properties	X	X	X	X
vApp: Edit vApp Properties	X	X	X	X
vApp: Manage VM Password Settings	X	X	X	X	X
vApp: Share a vApp	X	X	X	X
vApp: Start / Stop / Suspend / Reset a vApp	X	X	X	X
vApp: Upload a vApp	X	X	X
vApp: View VM metrics	X		X	X