Each
vCloud Director
predefined role contains a default set of rights required to perform operations
included in common workflows. With the exception of the System Administrator
role, each predefined role exists in every organization in the system.
The System
Administrator Role
The system administrator role
exists only in the System organization. The System organization and system
administrator role include all rights. System administrator credentials are
established during installation and configuration. A system administrator can
create additional system administrator accounts. All system administrators are
members of the System organization.
You cannot modify the rights
associated with the System Administrator role. A system administrator can use
the
vCloud Director
Web Console or the vCloud API to create or update other role objects in any
organization in the system.
Predefined
Roles
Predefined roles and the
rights they contain are available in all organizations.
|
Organization
Administrator
|
After creating an
organization, a system administrator can assign the role of organization
administrator to any user in the organization. A user with the predefined
Organization Administrator role can use the
vCloud Director
Web Console or the vCloud API to manage users and groups in their organization
and assign them roles, including the predefined Organization Administrator
role. An organization administrator can use the vCloud API to create or update
role objects that are local to the organization. Roles created or modified by
an organization administrator are not visible to other organizations.
|
|
Catalog Author
|
The rights associated
with the predefined Catalog Author role allow a user to create and publish
catalogs.
|
|
vApp Author
|
The rights associated
with the predefined vApp Author role allow a user to use catalogs and create
vApps.
|
|
vApp User
|
The rights associated
with the predefined vApp User role allow a user to use existing vApps.
|
|
Console Access Only
|
The rights associated
with the predefined Console Access Only role allow a user to view virtual
machine state and properties and to use the guest OS.
|
|
Defer to Identity
Provider
|
Rights associated with
the predefined Defer to Identity Provider role are determined based on
information received from the user's OAuth or SAML Identity Provider. To
qualify for inclusion when a user or group is assigned the Defer to Identity
Provider role, a role or group name supplied by the Identity Provider must be
an exact, case-sensitive match for a role or group name defined in your
organization.
■
|
If the user is
defined by an OAuth Identity Provider, the user will be assigned the roles
named in the
roles array of the
user's OAuth token.
|
■
|
If the user is
defined by a SAML Identity Provider, the user will be assigned the roles named
in the SAML attribute whose name appears in the
RoleAttributeName
element in the organization's
OrgFederationSettings.
|
If a user is assigned the
Defer to
Identity Provider role but no matching role or group name is
available in your organization, the user can log in to the organization but has
no rights. If an Identity Provider associates a user with a system-level role
such as System Administrator, the user can log in to the organization but has
no rights. You must manually assign a role to such users.
|
With the exception of the
Defer to
Identity Provider role, each predefined role includes a set
of default rights. Only a system administrator can modify the rights in a
predefined role. If a system administrator modifies a predefined role, the
modifications propagate to all instances of the role in the system.
Rights in Predefined
Roles
Predefined roles and new
roles created by the organization administrator are listed in the
RoleReferences element
of
AdminOrg response. To
view the list of rights included in a role, make a request like this one, where
org-id
is the UUID of the organization and
role-id is the UUID of
the role.
GET https://vcloud.example.com/api/admin/org/org-id/role/role-id
You can also use the
adminRole query and
filter on the organization UUID.
GET https://vcloud.example.com/api/query?type=adminRole&format=records&filter=org==https://vcloud.example.com/api/org/org-id
The system classifies rights
according to the object type to which they apply.
Rights Associated With
Catalogs
|
|
|
|
|
|
|
|
Catalog: Add vApp from My Cloud
|
Permission to add a vApp to a catalog from
My Cloud.
|
X
|
X
|
X
|
|
|
|
Catalog: Change Owner
|
Permission to change the owner of a catalog.
|
X
|
|
|
|
|
|
Catalog: Create/Delete a Catalog
|
Permission to create and delete catalogs.
|
X
|
X
|
|
|
|
|
Catalog: Edit Catalog Properties
|
Permission to edit catalog properties.
|
X
|
X
|
|
|
|
|
Catalog: Allow External
Publishing/Subscriptions for the Catalogs
|
Permission to publish catalogs for external
consumption and to subscribe to external catalog feeds.
|
X
|
X
|
|
|
|
|
Catalog: Share a Catalog to Users/Groups
within Current Organization
|
Permission to share catalogs to users and
groups in the same organization.
|
X
|
X
|
|
|
|
|
Catalog: View Private and Shared Catalogs
within Current Organization
|
Permission to view both private and shared
catalogs in the organization.
|
X
|
X
|
X
|
|
|
|
Catalog: View Shared Catalogs from Other
Organizations
|
Permission to view catalogs shared from
other organizations.
|
X
|
|
|
|
|
Rights Associated With
Independent Disks
|
|
|
|
|
|
|
|
Disk: Create
|
Permission to create independent disks.
|
X
|
X
|
X
|
|
|
|
Disk: Delete
|
Permission to delete independent disks.
|
X
|
X
|
X
|
|
|
|
Disk: Edit Properties
|
Permission to edit the properties of an
independent disk.
|
X
|
X
|
X
|
|
|
|
Disk: View Properties
|
Permission to view the properties of an
independent disk.
|
X
|
X
|
X
|
X
|
|
|
Disk: Change Owner
|
Permission to change the owner of an
independent disk.
|
X
|
|
|
|
|
Rights Associated With
vApp Templates and Media
|
|
|
|
|
|
|
|
Catalog Item: Add to My Cloud
|
Permission to add a vApp template or media
file to My Cloud.
|
X
|
X
|
X
|
X
|
|
|
Catalog Item: Copy/Move a vApp Template/Media
|
Permission to copy and move vApp templates
and media files.
|
X
|
X
|
X
|
|
|
|
Catalog Item: Create/Upload a vApp
Template/Media
|
Permission to create and upload vApp
templates and media files.
|
X
|
X
|
|
|
|
|
Catalog Item: Enable vApp Template/Media
Download
|
Permission to enable a vApp template or
media item to be downloaded.
|
X
|
X
|
|
|
|
|
Catalog Item: Edit vApp Template/Media
Properties
|
Permission to edit the properties of a vApp
template or media file.
|
X
|
X
|
|
|
|
|
Catalog Item: View vApp Templates/Media
|
Permission to view vApp templates and media
files.
|
X
|
X
|
X
|
X
|
|
Rights Associated With
vApps
|
|
|
|
|
|
|
|
vApp: Change Owner
|
Permission to change the owner of a vApp.
|
X
|
|
|
|
|
|
vApp: Copy a vApp
|
Permission to copy a vApp.
|
X
|
X
|
X
|
X
|
|
|
vApp: Create/Reconfigure a vApp
|
Permission to create and reconfigure vApps.
|
X
|
X
|
X
|
|
|
|
vApp: Delete a vApp
|
Permission to delete a vApp.
|
X
|
X
|
X
|
X
|
|
|
vApp: Download a vApp
|
Permission to download a vApp.
|
X
|
X
|
X
|
X
|
|
|
vApp: Edit vApp Properties
|
Permission to edit a vApp's properties.
|
X
|
X
|
X
|
X
|
|
|
vApp: Edit VM CPU
|
Permission to edit virtual machine CPUs.
|
X
|
X
|
X
|
|
|
|
vApp: Edit VM Hard Disk
|
Permission to edit virtual machine hard
disks.
|
X
|
X
|
X
|
|
|
|
vApp: Edit VM Memory
|
Permission to edit virtual machine memory.
|
X
|
X
|
X
|
|
|
|
vApp: Edit VM Network
|
Permission to edit virtual machine network
configuration.
|
X
|
X
|
X
|
X
|
|
|
vApp: Edit VM Properties
|
Permission to edit virtual machine
properties.
|
X
|
X
|
X
|
X
|
|
|
vApp: Manage VM Password Settings
|
Permission to edit virtual machine password
settings.
|
X
|
X
|
X
|
X
|
X
|
|
vApp: Start/Stop/Suspend/Reset a vApp
|
Permission to start, stop, suspend, and
reset a vApp
|
X
|
X
|
X
|
X
|
|
|
vApp: Share a vApp
|
Permission to share vApps.
|
X
|
X
|
X
|
X
|
|
|
vApp: Create/Remove/Revert a Snapshot
|
Permission to create, revert, and delete
virtual machine snapshots.
|
X
|
X
|
X
|
X
|
|
|
vApp: Upload a vApp
|
Permission to upload a vApp.
|
X
|
X
|
X
|
X
|
|
|
vApp: Access to a VM Console
|
Permission to use the virtual machine
console.
|
X
|
X
|
X
|
X
|
X
|
|
vApp: View VM Metrics
|
Permission to view virtual machine metrics.
|
X
|
|
X
|
X
|
|
|
vApp: Insert CD
|
Permission to insert a CD into any virtual
machine in the vApp
|
X
|
X
|
X
|
X
|
X
|
|
Allow metadata mapping domain to vCenter
|
Permission to apply metadata in the VCENTER
domain to a virtual machine
|
X
|
X
|
X
|
|
|
Administrative
Rights
These rights are granted to
the system administrator throughout the system, and to an organization
administrator within the organization. These rights are not granted to any
other predefined role. The system administrator is granted additional rights
not granted to organization administrators.
Additional Rights
Granted to Organization Administrators
|
|
|
|
General: Administrator Control
|
Permission to use all administrator
privileges.
|
X
|
|
General: Administrator View
|
Permission to view
vCloud Director
as an administrator.
|
X
|
|
General: Send Notification
|
Permission to send vCloud Director user
notifications.
|
X
|
|
Gateway: Configure Services
|
Permission to configure gateway services.
|
X
|
|
Organization VDC Network: Edit Properties
|
Permission to edit the properties of an
organization virtual data center network.
|
X
|
|
Organization VDC Network: View Properties
|
Permission to view the properties of an
organization virtual data center network.
|
X
|
|
Organization VDC: Set Default Storage Policy
|
Permission to set the default storage policy
for an organization virtual data center.
|
X
|
|
Organization VDC: View Organization VDCs
|
Permission to view organization virtual data
centers.
|
X
|
|
Organization: Allow Access to All
Organization VDCs
|
Permission to access all organization
virtual data centers through vCloud Air
|
X
|
|
Organization: Edit Federation Settings
|
Permission to edit an organization's
federation settings.
|
X
|
|
Organization: Edit Leases Policy
|
Permission to edit an organization's leases
policy.
|
X
|
|
Organization: Edit Organization Network
Properties
|
Permission to edit an organization's network
properties
|
X
|
|
Organization: Edit Organization Properties
|
Permission to edit organization properties.
|
X
|
|
Organization: Edit Password Policy
|
Permission to edit an organization's
password policy.
|
X
|
|
Organization: Edit Quotas Policy
|
Permission to edit an organization's quotas
policy.
|
X
|
|
Organization: Edit SMTP Settings
|
Permission to edit an organization's SMTP
settings.
|
X
|
|
Organization: Edit Organization Associations
|
Permission to edit an organization's
associations.
|
X
|
|
Organization: Implicitly Import User/Group
from IdP While Editing VDC ACL
|
Permission to import vCloud Director users
and groups while editing VDC Access Control Lists in vCloud Air
|
X
|
|
Organization: Edit Access Control List of
Organization VDCs
|
Permission to edit the vCloud Air Access
Control Lists of organization virtual data centers
|
X
|
|
Organization: View Access Control List of
Organization VDCs
|
Permission to view the vCloud Air Access
Control Lists of organization virtual data centers
|
X
|
|
Organization: View Organization Networks
|
Permission to view organization networks.
|
X
|
|
Organization: View Organizations
|
Permission to view organizations.
|
X
|
|
Organization: Edit Operation Limits
|
Permission to edit an organization's
OrgOperationLimitsSettings.
|
X (system administrator only)
|