A newly created organization has no users or groups in it. An administrator must create or import them.

An organization can contain an arbitrary number of users and groups. Users can be created locally or managed by an external identity provider. Groups must be managed by an external identity provider. Permissions within an organization are controlled through the assignment of rights and roles to users and groups.

Local user accounts are stored in the vCloud Director database and managed by the organization administrator. Local users cannot be made members of groups.

Imported users and groups must be managed at the source identity provider. If an imported user changes his password, contact information, or other account properties, those changes are not effective in vCloud Director until the user is imported again. The semantics of an import operation depend on the type of the identity provider in use. See About Federation and Single Sign-On.

An organization administrator can modify metadata such as name and description for a user or group object by creating a modified version of the User or Group element that represents the object and updating the object by making a PUT request to the object's rel="edit" link, supplying the modified element in the request body.