A role associates a role name with a set of rights. A newly created organization includes a set of predefined roles and rights inherited from the system. A system administrator can use the vCloud Director Web Console or the vCloud API to create or update role objects in any organization in the system. Organization administrators can use the vCloud API to create or update role objects in organizations they administer.

vCloud Director uses roles and their associated rights to determine whether a user or group is authorized to perform an operation. Many of the procedures documented in the vCloud Director Administrator's Guide, vCloud Director User's Guide, and vCloud API Programming Guide for Service Providers include a prerequisite role. These prerequisites assume that the named role is the unmodified predefined role or a role that includes an equivalent set of rights.

When you create or import a user or import a group, you must assign it a role.


You can create and modify rights associated with extension services, but not those associated with vCloud Director. See Create a Service-Specific Right

In previous releases of vCloud Director, roles were global objects created by system administrators and available to all organizations. Beginning with vCloud Director 8.20, role objects are created and managed at the organization level. Each organization is created with a set of predefined roles and the rights contained by those roles. A system administrator can use the vCloud API to grant additional rights to an organization during creation or afterward. A system administrator can also remove rights from an organization. A system administrator can edit a predefined role to add or remove rights.


When you upgrade vCloud Director from a release earlier than 8.20, all roles that exist in the system, including roles created by system administrators, are treated as predefined roles. Copies of these roles, along with the rights they contain, are propagated to all organizations in the system. Only a system administrator can delete or modify a predefined role.