An organization is initially granted all rights contained in the predefined roles. A system administrator can grant additional rights to an organization or remove rights previously granted.

Many newer VMware Cloud Director features require roles that use them to have special rights. These rights are not granted to an organization when you create it, or when you upgrade to a new VMware Cloud Director release. A system administrator must grant these rights to organizations that are entitled to use the features, and an organization administrator must add the rights to existing roles or create new roles that include them.

There are several ways to edit the rights in an organization:
  • You can add rights to the organization. This operation updates the set of rights already in the organization by adding new ones. No rights are removed.
  • You can replace the existing set of rights with a new set of rights. The replacement set of rights typically combines the rights that currently exist in the organization with additional rights available from the system.
  • You can remove individual rights or groups of rights from the organization.

Prerequisites

This operation is restricted to system administrators.

Procedure

  1. Retrieve the set of rights available in the system.
    Use a request like this one: 
    GET https://vcloud.example.com/api/admin
    The RightReferences element returned by this request includes a RightReference for each right that you can grant to an organization.
  2. Retrieve the set of rights that exist in the organization.
    Use a request like this one: 
    GET https://vcloud.example.com/api/admin/org/id/rights
    The OrgRights element returned by this request includes a RightReference for each right that exists in the organization.
  3. Update the organization's rights.
    Option Description
    Add new rights. Create an OrgRights request body that the new rights (a subset of the rights returned by request you made in Step 1) that you want to grant to the organization. POST the modified OrgRights request body to the organization's edit link for rights.
    Replace all rights. Create an OrgRights request body that includes the rights returned by the request you made in Step 2 and the additional rights (a subset of the rights returned by request you made in Step 1) that you want to grant to the organization. PUT the modified OrgRights request body to the organization's edit link for rights.
    Remove a right with identifier id. Make a request like ths one: DELETE https://vcloud.example.com/api/admin/org/26/right/id

Example: Grant Additional Rights to an Organization

This request adds several unassigned rights (rights that are not part of any predefined role) to an organization.

Request: 

POST https://vcloud.example.com/api/admin/org/26/rights
Content-type: application/vnd.vmware.admin.org.rights+xml
...
<?xml version="1.0" encoding="UTF-8"?>
<OrgRights xmlns="http://www.vmware.com/vcloud/v1.5"> 
   <RightReference
      href="https://vcloud.example.com/api/admin/right/79f48ce4-975d-3b88-ad19-a25ce58b9e91"
      name="vApp: Allow All Extra Config"
      type="application/vnd.vmware.admin.right+xml" />
   <RightReference
      href="https://vcloud.example.com/api/admin/right/896288a1-6dc9-39d1-b2e8-89332a93f97d"
      name="vApp: Allow Ethernet Coalescing Extra Config"
      type="application/vnd.vmware.admin.right+xml" />
   <RightReference
      href="https://vcloud.example.com/api/admin/right/a98dd24b-8fd0-3fac-b548-611a467a53df"
      name="vApp: Allow Latency Extra Config"
      type="application/vnd.vmware.admin.right+xml" />
   <RightReference
      href="https://vcloud.example.com/api/admin/right/a96bebdd-ee34-3d62-9014-5283a88bad34"
      name="vApp: Allow Matching Extra Config"
      type="application/vnd.vmware.admin.right+xml" />
</OrgRights>

This variant of the request adds the same set of rights to the organization, but replaces the rights in the organization with the set of rights in the request body. Any rights not present in the request body are removed from the organization, and from all organization roles that include them.

Request: 

PUT https://vcloud.example.com/api/admin/org/26/rights
Content-type: application/vnd.vmware.admin.org.rights+xml
...
<?xml version="1.0" encoding="UTF-8"?>
<OrgRights xmlns="http://www.vmware.com/vcloud/v1.5"> 
   <!-- include the existing rights -->
   <RightReference
      href="https://vcloud.example.com/api/admin/right/5ddb661d-caf0-3680-9a74-59d4b06137f3"
      name="Disk: Change Owner"
      type="application/vnd.vmware.admin.right+xml" />
   <RightReference
      href="https://vcloud.example.com/api/admin/right/b755b050-772e-3c9c-9197-111c286f563d"
      name="Organization vDC Gateway: Configure Firewall"
      type="application/vnd.vmware.admin.right+xml" />
   ...

   <!-- then add the new rights -->
   <RightReference
      href="https://vcloud.example.com/api/admin/right/79f48ce4-975d-3b88-ad19-a25ce58b9e91"
      name="vApp: Allow All Extra Config"
      type="application/vnd.vmware.admin.right+xml" />
   <RightReference
      href="https://vcloud.example.com/api/admin/right/896288a1-6dc9-39d1-b2e8-89332a93f97d"
      name="vApp: Allow Ethernet Coalescing Extra Config"
      type="application/vnd.vmware.admin.right+xml" />
   <RightReference
      href="https://vcloud.example.com/api/admin/right/a98dd24b-8fd0-3fac-b548-611a467a53df"
      name="vApp: Allow Latency Extra Config"
      type="application/vnd.vmware.admin.right+xml" />
   <RightReference
      href="https://vcloud.example.com/api/admin/right/a96bebdd-ee34-3d62-9014-5283a88bad34"
      name="vApp: Allow Matching Extra Config"
      type="application/vnd.vmware.admin.right+xml" />
</OrgRights>

The response (only a portion of which is shown here) includes the new set of OrgRights. It also includes a link you can use to edit this list of rights.

Response: 
<?xml version="1.0" encoding="UTF-8"?>
<OrgRights
   xmlns="http://www.vmware.com/vcloud/v1.5"
   href="https://vcloud.example.com/api/admin/org/798e24f6-b0bd-4b93-8e2e-c3c65c907f43/rights">
   <Link
      rel="edit"
      href="https://vcloud.example.com/api/admin/org/798e24f6-b0bd-4b93-8e2e-c3c65c907f43/rights"
      type="application/vnd.vmware.admin.org.rights+xml" />
   <RightReference
      href="https://vcloud.example.com/api/admin/right/5ddb661d-caf0-3680-9a74-59d4b06137f3"
      name="Disk: Change Owner"
      type="application/vnd.vmware.admin.right+xml" />
   <RightReference
      href="https://vcloud.example.com/api/admin/right/b755b050-772e-3c9c-9197-111c286f563d"
      name="Organization vDC Gateway: Configure Firewall"
      type="application/vnd.vmware.admin.right+xml" />
   ...
   <RightReference
      href="https://vcloud.example.com/api/admin/right/79f48ce4-975d-3b88-ad19-a25ce58b9e91"
      name="vApp: Allow All Extra Config"
      type="application/vnd.vmware.admin.right+xml" />
   <RightReference
      href="https://vcloud.example.com/api/admin/right/896288a1-6dc9-39d1-b2e8-89332a93f97d"
      name="vApp: Allow Ethernet Coalescing Extra Config"
      type="application/vnd.vmware.admin.right+xml" />
   <RightReference
      href="https://vcloud.example.com/api/admin/right/a98dd24b-8fd0-3fac-b548-611a467a53df"
      name="vApp: Allow Latency Extra Config"
      type="application/vnd.vmware.admin.right+xml" />
   <RightReference
      href="https://vcloud.example.com/api/admin/right/a96bebdd-ee34-3d62-9014-5283a88bad34"
      name="vApp: Allow Matching Extra Config"
      type="application/vnd.vmware.admin.right+xml" />
</OrgRights>