Starting with VMware Cloud Director 10.2, service providers can use the VMware Cloud Director API to create extensions that provide additional VMware Cloud Director capabilities to the tenants. If a service provider granted you access, you can manage defined entities and share them with other tenants.

Service providers can create Runtime Defined Entities (RDEs) enabling extensions to store and manipulate the extension-specific information in VMware Cloud Director. For example, a Kubernetes extension can store information about the Kubernetes clusters it manages in RDEs. The extension can then provide extension APIs for managing those clusters using the information from the RDEs.

Access to Defined Entities

Two complementary mechanisms control the access to RDEs.

  • Rights - When a service provider creates an RDE type, they create a rights bundle for the type. A service provider must assign you one or more of the five type-specific rights: View: TYPE, Edit: TYPE, Full Control: TYPE, Administrator View: TYPE, and Administrator Full Control: TYPE.

    The View: TYPE, Edit: TYPE, and Full Control: TYPE rights work only in combination with an ACL entry.

  • Access Control List (ACL) - The ACL table contains entries defining the access users have to specific entities in the system. It provides an extra level of control over the entities. For example, while an Edit: TYPE right specifies that a user can modify entities to which they have access, the ACL table defines which entities the user has access to.
Table 1. Rights and ACL Entries for RDE Operations
Entity Operation Option Description
Read Administrator View: TYPE right Users with this right can see all RDEs of this type within an organization.
View: TYPE right and ACL entry >= View Users with this right and a read-level ACL can view RDEs of this type.
Modify Administrator Full Control: TYPE right Users with this right can create, view, modify, and delete RDEs of this type in all organizations.
Edit: TYPE right and ACL entry >= Change Users with this right and modify-level ACL can create, view, and modify RDEs of this type.
Delete Administrator Full Control: TYPE right Users with this right can create, view, modify, and delete RDEs of this type in all organizations.
Full Control: TYPE right and ACL entry = Full Control Users with this right and full control-level ACL can create, view, modify, and delete RDEs of this type.

Sharing Defined Еntities with Another User

If a system administrator published the rights bundle for a defined entity type and granted you ReadWrite or FullControl access or you are the defined entity owner, you can share the access to those entities with other users.

  1. Assign the View: TYPE, Edit: TYPE, or Full Control: TYPE right from the bundle to the user roles you want to have the specific level of access to the defined entity.

    Note: You must be logged in as a system administrator or organization administrator to assign rights.

    For example, if you want the users with the tkg_viewer role to view Tanzu Kubernetes clusters within the organization, you must add the View: Tanzu Kubernetes Guest Cluster right to the role. If you want the users with the tkg_author role to create, view, and modify Tanzu Kubernetes clusters within this organization, add the Edit: Tanzu Kubernetes Guest Cluster to that role. If you want the users with the tkg_admin role to create, view, modify, and delete Tanzu Kubernetes clusters within this organization, add the Full Control: Tanzu Kubernetes Guest Cluster right to the role.

  2. Grant the specific user an Access Control List (ACL) by making the following REST API call.

    POST https://[address]/cloudapi/1.0.0/entities/urn:vcloud:entity:[vendor]:[type name]:[version]:[UUID]/accessControls
     {
       "grantType" : "MembershipAccessControlGrant",
       "accessLevelId" : "urn:vcloud:accessLevel:[Access_level]",
       "memberId" : "urn:vcloud:user:[User_ID]"
     }

    Access_level must be ReadOnly, ReadWrite, or FullControl. User_ID must be the ID of the user to which you want to grant the access to the defined entity.

    You must have ReadWrite or FullControl access to an entity to grant ACL access to that entity.

    Users with the tkg_viewer role, described in the example, cannot grant ACL access. Users with the tkg_author or tkg_admin role can share access to a VMWARE:TKGCLUSTER entity with users who have the tkg_viewer, tkg_author, or tkg_admin role by granting them ACL access using the API request.

    Users with the Administrator Full Control: Tanzu Kubernetes Guest Cluster right can grant ACL access to any VMWARE:TKGCLUSTER entity.

    You can also use REST API calls to revoke the access or to view who has access to the entity. See the VMware Cloud Director REST API documentation on code.vmware.com.

Changing the Owner of a Defined Entity

The owner of a defined entity or a user with the Administrator Full Control: TYPE right can transfer the ownership to another user by updating the defined entity model and changing the owner field with the ID of the new owner.