A right is the fundamental unit of access control in VMware Cloud Director. A role associates a role name with a set of rights. Each organization can have different rights and roles.
VMware Cloud Director uses roles and their associated rights to determine whether a user or group is authorized to perform an operation. Many of the procedures documented in the VMware Cloud Director guides include a prerequisite role. These prerequisites assume that the named role is the unmodified predefined role or a role that includes an equivalent set of rights.
System administrators can use rights bundles and global tenant roles to manage the rights and roles that are available to each organization.
After you install VMware Cloud Director, the system contains only the System Rights Bundle, which includes all rights that are available in the system. The System Rights Bundle is not published to any organization. The system also contains built-in global tenant roles that are published to all organizations. For information about the predefined roles, see Predefined VMware Cloud Director Roles and Their Rights.
After you upgrade VMware Cloud Director from version 9.1 or earlier, in addition to the System Rights Bundle, the system contains a Legacy Rights Bundle for each existing organization. Each Legacy Rights Bundle includes the rights that are available in the associated organization at the time of the upgrade and is published only to this organization.
If you upgraded VMware Cloud Director from version 9.1 or earlier, the existing role templates are published to all organizations as global tenant roles, and the existing roles that are unlinked from role templates are available as tenant-specific roles to their organizations.
VMware Cloud Director introduces OpenAPIs for managing rights and roles. For information about the VMware Cloud Director OpenAPI, see Getting Started with VMware Cloud Director OpenAPI at https://code.vmware.com.
Rights Terminology
- Right
-
Each right provides view or manage access to a particular object type in
VMware Cloud Director. Rights belong to different categories depending on the objects to which they relate, for example, vApp, Catalog, Organization, and so on. The Provider organization contains all rights available in the system. The system administrator defines the rights that are available to each organization. You cannot create or modify the rights included in
VMware Cloud Director.
Note: You can create and modify rights associated with extension services, but not those associated with VMware Cloud Director. See Create a Service-Specific Right
- Rights Bundle
- System administrators can use rights bundles to manage the rights that are available to each organization. A rights bundle is a set of rights that the system administrator can publish to one or more organizations. The system administrator can create and publish rights bundles that correspond to tiers of service, separately monetizable functionality, or any other arbitrary rights grouping. Only system administrators can view and manage the rights bundles. You can publish multiple bundles to the same organization.
- Organization Rights
- Organization rights are the full set of rights that are available to an organization. Organization rights can comprise multiple rights bundles, but the organization administrators and users see a flat set of rights that they can use to create and modify tenant-specific roles.
Roles Terminology
- Role
- A role is a set of rights that is assignable to one or more users and groups. When you create or import a user or group, you must assign it a role.
- Provider Roles
- Provider roles are the set of roles that are available only to the Provider organization. Provider roles can be assigned only to Provider users. System administrators can create custom provider roles.
- Tenant Roles
-
Tenant roles are the set of roles available to an organization.
System administrators can create and edit global tenant roles and publish them to one or more organizations. Global tenant roles can be assigned to tenant users in the organizations to which they are published. Organization administrators cannot edit global tenant roles.
Note: Tenant users can use only those rights from their roles that are published to their organizations. - Tenant-Specific Roles
-
Organization administrators can create and edit tenant-specific roles, which are local to their organizations. Tenant-specific roles can be assigned only to tenant users in the organization to which they belong. Tenant-specific roles can contain a subset of the organization rights only.
For information about managing tenant-specific roles, see VMware Cloud Director Tenant Guide.