Access to VMware Cloud Director Extension for VMware Tanzu Mission Control is managed by a rights bundle, and two roles in VMware Cloud Director. These roles are referred to as the TMC Administrator and TMC Member role, but you can configure specific names for these roles during installation. These roles are used to configure Access Policies when an organization is initially onboarded to VMware Tanzu Mission Control. The TMC Administrator can modify these policies to give access to any user or role they choose after the initial onboarding.

For more information on VMware Tanzu Mission Control roles, see Access Control.
Table 1. Rights Bundle
Rights Bundle Description
vmware:tmc_tenant This rights bundle contains the privileges that an organization needs to avail of VMware Cloud Director Extension for VMware Tanzu Mission Control.
Table 2. User Roles
Global Role in VMware Cloud Director Default Value Rights Mapped Role in VMware Tanzu Mission Control
TMC Administrator tmc:admin
  • VIEW: VMWARE:TMC
  • Enable OIDC Server
  • Inherited rights from existing Kubernetes Cluster Author Role in VMware Cloud Director.
  • Inherited rights from existing Organization Administrator role in VMware Cloud Director.
Service Admin
TMC Member tmc:member
  • VIEW: VMWARE:TMC
  • Enable OIDC Server
  • Inherited rights from existing Kubernetes Cluster Author Role in VMware Cloud Director.

Service Member

You can set the values for these roles during installation of the solution. The values will apply to all organizations in VMware Cloud Director. The solution will create roles with the rights above if they do not already exist. If the role exists before the installation of VMware Cloud Director Extension for VMware Tanzu Mission Control, the solution will add the following two rights to each role:

  • VIEW: VMWARE:TMC
  • Enable OIDC Server
Note: By default, TMC Administrator users cannot view or manage VMware Tanzu Mission Control attachable clusters from the VMware Cloud Director UI. Additional rights like Administrator View: VMWARE:CAPVCDCLUSTER and/or Administrator Full Control: VMWARE:CAPVCDCLUSTER are necessary for this user to manage those clusters. However, the TMC Administrator user can manage all these clusters from VMware Tanzu Mission Control portal.
Note:
  • Service providers cannot attach any clusters from tenant organizations to VMware Tanzu Mission Control from VMware Tanzu Mission Control UI or Kubernetes Container Clusters UI, even though they are assigned with the TMC Administrator role. This privilege only allows service providers to log in to the VMware Tanzu Mission Control UI.

  • Service providers cannot view tenant clusters in VMware Tanzu Mission Control UI.

  • Service providers cannot view VMware Tanzu Mission Control attachment status in Kubernetes Container Clusters UI.

Note: If an external IDP is used for all organizations, tenant administrators may assign multiple roles to their users through the appropriate claims. In this case the TMC Administrator and TMC Member role may be minimally privileged with the rights above. This will not work if any organization is using VMware Cloud Director local users as those users may only be assigned to a single role.

Information for Tenant Administrators

Once VMware Cloud Director Extension for VMware Tanzu Mission Control is installed in the organization's VMware Cloud Director environment, service providers must advise organization tenant administrators to assign tenants users in their organization to either the TMC Administrator or TMC Member role.
Note:

Ensure VMware Cloud Director tenant users have the fullname populated in the user object for VMware Tanzu Mission Control Self-Managed login to work correctly. The email may be used to create per-user access policies but is not required.

Note: It is necessary for a user with the TMC Administrator role to login to VMware Tanzu Mission Control to initialize the organization default settings, before any user with the TMC Member role can use the service through the Kubernetes Container Clusters UI.