Starting with VMware Cloud Director 10.2, service providers can use the VMware Cloud Director API to create extensions that provide additional VMware Cloud Director capabilities to the tenants.

Service providers can create Runtime Defined Entities (RDEs) enabling extensions to store and manipulate the extension-specific information in VMware Cloud Director. For example, a Kubernetes extension can store information about the Kubernetes clusters it manages in RDEs. The extension can then provide extension APIs for managing those clusters using the information from the RDEs.

Access to Defined Entities

Two complementary mechanisms control the access to RDEs.

  • Rights - When you create an RDE type, you create a rights bundle for the type. To provide access to specific operations, you must assign rights from this bundle to other roles. Each bundle has five type-specific rights: View: TYPE, Edit: TYPE, Full Control: TYPE, Administrator View: TYPE, and Administrator Full Control: TYPE.

    The View: TYPE, Edit: TYPE, and Full Control: TYPE rights work only in combination with an ACL entry.

  • Access Control List (ACL) - The ACL table contains entries defining the access users have to specific entities in the system. It provides an extra level of control over the entities. For example, while an Edit: TYPE right specifies that a user can modify entities to which they have access, the ACL table defines which entities the user has access to.

    System administrators with the View General ACL right can view the ACLs assigned to a specific defined entity by using the accessControls API. For the VMware Cloud Director API reference, see code.vmware.com.

    System administrators with the Manage General ACL right can create, modify, and remove specific ACLs by using the accessControls API.

Table 1. Rights and ACL Entries for RDE Operations
Entity Operation Option Description
Read Administrator View: TYPE right Users with this right can see all RDEs of this type within an organization.
View: TYPE right and ACL entry >= View Users with this right and a read-level ACL can view RDEs of this type.
Modify Administrator Full Control: TYPE right Users with this right can create, view, modify, and delete RDEs of this type in all organizations.
Edit: TYPE right and ACL entry >= Change Users with this right and modify-level ACL can create, view, and modify RDEs of this type.
Delete Administrator Full Control: TYPE right Users with this right can create, view, modify, and delete RDEs of this type in all organizations.
Full Control: TYPE right and ACL entry = Full Control Users with this right and full control-level ACL can create, view, modify, and delete RDEs of this type.

You can use the VMware Cloud Director API or UI to publish the rights bundle to any organizations you want to manage the entities of this type. After publishing the rights bundle, you can assign rights from the bundle to roles within the organization.

You can use the VMware Cloud Director API to edit the ACL table.