How do I work with custom roles

As an organization owner, you create custom roles with cross-services access by combining permissions from existing service roles. You can assign custom roles to users and groups in your organization. This gives you greater flexibility and granularity in managing service access in your organization.

Note: Currently, some services support permissions while others do not. You can create custom roles only from service roles that support permissions. Carbon Black Cloud is a service that does support permissions.

Each VMware Cloud service, including Carbon Black Cloud, comes with one or more built-in service roles. Service roles are made up of permission sets. You use the built-in service roles and permissions as building blocks to create custom roles in one of several ways:

By selecting individual permissions from predefined built-in service roles.
By copying full sets of permissions from predefined built-in service roles.
A combination of selecting individual permissions and copying full sets of permissions from built-in or custom roles.

Your starting point for working with custom roles is the Identity & Access Management > Roles page in Cloud Services Console.

The table provides information for working with custom roles in your organization.

For more details, see:

Permissions Matrix to view the permissions that each pre-defined Carbon Black Cloud Service Role has.
Roles Permission Descriptions to view descriptions for each permission.


To...	Do the following
Create a custom role	On the Roles page, click Add Role. On the Add permissions step of the wizard, select the combination of permissions for the new custom role. Clicking a service name in the left pane displays all service roles permissions in the right pane. Use the check boxes to select the individual permissions that you want to add to the new custom role. Clicking a service role name under a specific service displays the permissions that go with the role. Click the Copy permissions from this role link. This action copies all permissions from the selected role and adds them to the new custom role. You can edit the custom role later to remove the permissions that you don't want to include. Click Continue. Type a name and description for the new custom role. On the last step, review the list of permissions you added to the new custom role, then click Save.
Edit an existing custom role	Editing the permissions of an existing custom role will affect all users and groups that have this role in the organization. The Created by column of the Roles table indicates if a role is built-in or created by an organization owner. You can modify the permissions of custom roles, but you can't modify the permissions of built-in service roles. On the Roles page, select the custom role that you want to edit. Click Edit Roles. Make your changes and when ready, click Save.
Delete a custom role	Deleting a custom removes it permanently from the organization. Users and groups who have this role will lose the access permissions granted by the custom role. On the Roles page, select the custom role that you want to delete. Click Remove Roles.
Assign a custom role	You assign custom roles in the same way you assign service roles. You can do that either when inviting a user in the organization or by editing a user's roles in the organization.