Upon creation, catalogs and vApps grant full access to their owners and no access to other users. TheVMware Cloud Director API access control mechanism enables object owners to retrieve or update these access controls as needed.
To retrieve or update the access controls on a vApp or catalog, use controlAccess links. The controlAccess links for catalogs are included when you retrieve the containing AdminOrg. The controlAccess links for a vApp are included in the VApp element itself.
- ReadOnly
- The ReadOnly access level grants rights to read or use the object.
- Change
- The Change access level includes all rights granted by ReadOnly access and grants additional rights to modify the object and its properties.
- FullControl
- The FullControl access level includes all rights granted by Change access and grants additional rights to change the owner of the object, share it, or delete it.
See Access Rights to VMware Cloud Director Objects for detailed information about the rights granted by each access level.
Access Control for vApps
An administrator or vApp owner can control access to a vApp.
Each VApp element includes two types of access control links:
- Links where rel="down".
<Link rel="down" type="application/vnd.vmware.vcloud.controlAccess+xml" href="https://vcloud.example.com/api/vApp/vapp-id/controlAccess/"/>
Use this kind of link to retrieve the access control settings for the vApp identified in the href value. - Links where rel="controlAccess".
<Link rel="controlAccess" type="application/vnd.vmware.vcloud.controlAccess+xml" href="https://vcloud.example.com/api/vApp/vapp-id/action/controlAccess/"/>
Use this kind of link to specify new access control settings for the vApp identified in the href value. You specify the new access control settings in a ControlAccessParams element that you post to the URL that the href value of this link specifies. See Update vApp Access Controls for an example.
Access Control for Catalogs
An administrator can control access to a catalog. Each Catalog element includes two types of access control links:
- Links where rel="down".
<Link rel="down" type="application/vnd.vmware.vcloud.controlAccess+xml" href="https://vcloud.example.com/api/org/id/catalog/id/controlAccess/"/>
Use this kind of link to retrieve the access control settings for the catalog identified in the href value. - Links where rel="controlAccess".
<Link rel="controlAccess" type="application/vnd.vmware.vcloud.controlAccess+xml" href="https://vcloud.example.com/api/org/id/catalog/id/action/controlAccess/"/>
Use this kind of link to specify new access control settings for the catalog identified in the href value. You specify the new access control settings in a ControlAccessParams element that you post to the URL that the href value of this link specifies.
Granting Access to All Members of an Organization
To specify access controls that apply to all members of an organization, an administrator can set IsSharedToEveryone to true
and specify an access level in the EveryoneAccessLevel element.
<ControlAccessParams xmlns="http://www.vmware.com/vcloud/v1.5"> <IsSharedToEveryone>true</IsSharedToEveryone> <EveryoneAccessLevel>ReadOnly</EveryoneAccessLevel> </ControlAccessParams>
Granting Access to Individual Members of an Organization
To specify access controls that apply to specific users, an organization administrator can set IsSharedToEveryone to false
and specify an access level in an AccessSettings element that the ControlAccessParams request contains.
<ControlAccessParams xmlns="http://www.vmware.com/vcloud/v1.5"> <IsSharedToEveryone>false</IsSharedToEveryone> <AccessSettings> <AccessSetting> <Subject type="application/vnd.vmware.admin.user+xml" href="https://vcloud.example.com/api/admin/user/40"/> <AccessLevel>FullControl</AccessLevel> </AccessSetting> <AccessSetting> <Subject type="application/vnd.vmware.admin.user+xml" href="https://vcloud.example.com/api/admin/user/45"/> <AccessLevel>ReadOnly</AccessLevel> </AccessSetting> </AccessSettings> </ControlAccessParams>
Viewing or Changing the Owner of a vApp or Catalog
Ownership of a VApp or Catalog object is expressed in an Owner element that you can retrieve from the object. This element contains a User element that identifies the owner with a reference to a specific user. The initial owner of an object is the user who created it.
A system administrator can view or change the owner of a VApp or Catalog object using the procedure documented in View or Change the Owner of an Object.