A right is the fundamental unit of access control in VMware Cloud Director. A role associates a role name with a set of rights. Each organization can have different rights and roles.
VMware Cloud Director uses roles and their associated rights to determine whether a user or group is authorized to perform an operation. Many of the procedures documented in the VMware Cloud Director guides include a prerequisite role. These prerequisites assume that the named role is the unmodified predefined role or a role that includes an equivalent set of rights.
System administrators and sub-provider administrators can use rights bundles and global tenant roles to manage the rights and roles that are available to each organization.
After you install VMware Cloud Director, the system contains only the System Rights Bundle
, which includes all rights that are available in the system. The System Rights Bundle
is not published to any organization. The system also contains built-in global tenant roles that are published to all organizations managed by the system
organization, except for the sub-provider administrator role which is not published by default. For information about the predefined roles, see Predefined VMware Cloud Director Roles and Their Rights.
In addition to the System Rights Bundle
, the system might contain a Legacy Rights Bundle
for each existing organization. Each Legacy Rights Bundle
includes the rights that are available in the associated organization at the time of the upgrade and is published only to this organization.
Legacy Rights Bundle
.
VMware Cloud Director provides OpenAPIs for managing rights and roles. For information about the VMware Cloud Director OpenAPI, see Getting Started with VMware Cloud Director OpenAPI at https://developer.broadcom.com/.
Rights Terminology
- Right
-
Each right provides view or manage access to a particular object type in
VMware Cloud Director. Rights belong to different categories depending on the objects to which they relate, for example,
vApp
,Catalog
,Organization
, and so on. The provider organization contains all rights available in the system. The system administrator defines the rights that are available to each organization. Sub-providers can define the rights available to the organizations they manage. You cannot create or modify the rights included in VMware Cloud Director.Note: You can create and modify rights associated with extension services, but not those associated with VMware Cloud Director. See Create a Service-Specific Right - Rights Bundle
-
System administrators can use rights bundles to manage the rights that are available to each organization. A rights bundle is a set of rights that the
system administrator can publish to one or more organizations. The
system administrator or
sub-provider administrator can create and publish rights bundles that correspond to tiers of service, separately monetizable functionality, or any other arbitrary rights grouping.
System administrators and
sub-provider administrators can publish rights bundles only to organizations that they manage directly, for example, a provider cannot publish a rights bundle to a tenant organization that a sub-provider manages. Only
system administrators and
sub-provider administrators can view and manage the rights bundles. Administrators can publish multiple bundles to the same organization.
For information about managing right bundles, see VMware Cloud Director Service Provider Admin Guide.
- Classification of Rights
-
Starting with version 10.6,
VMware Cloud Director classifies rights into three groups:
Provider
,Sub-provider
, andTenant
rights. Theprovider
rights are applicable only to providers and cannot be assigned or visible to anyone else. Providers can publish thesub-provider
rights to their direct tenants, giving them sub-provider capabilities, but sub-provider administrators cannot publish thesub-provider
rights to the tenant organizations they manage. Thetenant
rights are regular rights that can be assigned to anyone.If you want to see a list of all VMware Cloud Director rights with API rights' names, UI rights' names, rights classifications, UI right categories, and so on, see the VMware Cloud Director 10.5.x Rights file in CSV format.
Alternatively, you can find out the rights classifications when using the VMware Cloud Director API, VMware Cloud Director returns the
isPublishable
field with each right. The field istrue
orfalse
depending on the classification and the context that you make the call from. For example, asub-provider
classified right istrue
in the provider context, butfalse
in the sub-provider context.
Roles Terminology
- Role
- A role is a set of rights that is assignable to one or more users and groups. When you create or import a user or group, you must assign it a role.
- Provider Roles
- Provider roles are the set of roles that are available only to the provider organization. System administrators can assign provider roles only to provider users. System administrators can create custom provider roles.
- Sub-Provider Role
-
Starting with
VMware Cloud Director 10.6,
system administrators can publish the necessary rights to an organization so that it becomes a sub-provider organization. A user with the predefined
sub-provider administrator role can create and manage organizations and organization VDCs, manage users and groups in the sub-provider's organizations and assign them roles, including the predefined
sub-provider administrator role. The
sub-provider administrator operates within the sub-provider organization. The
sub-provider administrator role can create and publish both global roles and rights bundles.
For more information about the sub-provider role, see . For the full list of sub-provider rights, see .
- Tenant Roles
-
Tenant roles are the set of roles available to an organization.
System administrators and sub-provider administrators can create and edit global tenant roles and publish them to one or more organizations. System administrators and sub-provider administrators can publish global tenant roles only to organizations that they manage directly, for example, a provider cannot publish a global tenant role to a tenant organization that a sub-provider manages. Administrators can assign global tenant roles to tenant users in the organizations to which they are published. Organization administrators cannot edit global tenant roles.
Note: Tenant users can use only those rights from their roles that are published to their organizations. - Tenant-Specific Roles
-
Organization administrators can create and edit tenant-specific roles, which are local to their organizations. Tenant-specific roles can be assigned only to tenant users in the organization to which they belong. Tenant-specific roles can contain a subset of the organization rights only.
For information about managing tenant-specific roles, see VMware Cloud Director Sub-Provider and Tenant Guide.