Automation Orchestrator user roles and group permissions

Automation Orchestrator administrators can set permissions that control access to features and content in the Automation Orchestrator Client. Access rights are separated into user roles and group permissions.

Roles control what Automation Orchestrator Client features users can view and use. Access to the role management functionality depends on the license type of your Automation Orchestrator environment.

Table 1. License-Based Access to Automation Orchestrator Role Management
License	Authentication
License	vSphere	VMware Aria Automation
vSphere	Role management is not supported. Groups support only Run permissions.
VMware Aria Automation	Manage roles in the Automation Orchestrator Client. See Assign Roles in the Automation Orchestrator Client.	Manage roles through Identity and Access Management in VMware Aria Automation. See Configure Automation Orchestrator Client Roles in VMware Aria Automation.

Group permissions control what Automation Orchestrator Client content users can view and use, such as workflows, actions, policies, configuration elements, and resource elements. Access to preconfigured system Automation Orchestrator content like standard workflows and actions is shared among all users, unless configured otherwise through group permissions.

Access rights of users with administrator and viewer roles are not restricted by group permissions. Access rights of users without an assigned role and users with a workflow designer role depend on the group assigned to them. You can extend the access rights of these users by modifying their group permissions. In this way, you can organize users into common projects. For example, you can create a group that includes users working on developing a custom Automation Orchestrator plug-in and allow them to modify only content that is specific to their group.

Table 2. Automation Orchestrator User Roles and Groups Permissions
Role	Access Rights
Administrator	Administrators can access all Automation Orchestrator Client features and content, including the content created by specific groups. Responsible for setting user roles, creating and deleting groups, and adding users to groups. Administrators are not limited by group permissions. Tenant administrators from VMware Aria Automation environments used to authenticate Automation Orchestrator have Administrator rights by default.
Viewer	Viewers have read-only access to all content in the Automation Orchestrator Client, but cannot create, edit, run, or export content. Viewers can also see all groups and group content. Viewers are not limited by group permissions. The Viewer role overwrites the Workflow Designer role when set to the same user account.
	Group Permissions
	No assigned group	Run	Run and edit
Workflow Designer	View system content. View and run own runs. Create, run, edit, and delete own content.	View system content View and run own runs. Create, run, edit, and delete own content. Add own content to the group. Run group content, but cannot edit it.	View system content. View and run own runs. Create, run, edit, and delete own content. Add own content to the group. Run and edit group content. Not available for Automation Orchestrator instances authenticated with vSphere.
User without an assigned role	View own runs. Respond to user interaction requests. These access rights are granted by default to users in VMware Aria Automation and vSphere without an assigned Automation Orchestrator role and group.	View and run own runs. View and run group content.	View and run own runs. View and run group content. To be able to create, edit, and add content, users in this group must be assigned a Workflow Designer role. Not available for Automation Orchestrator instances authenticated with vSphere.