Controlling Access to vApps and Catalogs

Upon creation, catalogs and vApps grant full access to their owners and no access to other users. TheVMware Cloud Director API access control mechanism enables object owners to retrieve or update these access controls as needed.

To retrieve or update the access controls on a vApp or catalog, use controlAccess links. The controlAccess links for catalogs are included when you retrieve the containing AdminOrg. The controlAccess links for a vApp are included in the VApp element itself.

VMware Cloud Director defines three levels of access:

ReadOnly: The ReadOnly access level grants rights to read or use the object.
Change: The Change access level includes all rights granted by ReadOnly access and grants additional rights to modify the object and its properties.
FullControl: The FullControl access level includes all rights granted by Change access and grants additional rights to change the owner of the object, share it, or delete it.

See Access Rights to VMware Cloud Director Objects for detailed information about the rights granted by each access level.

Access Control for vApps

An administrator or vApp owner can control access to a vApp.

A Virtual Infrastructure Administrator or vApp owner can control access to a vApp.

Each VApp element includes two types of access control links:

Links where rel="down".

<Link
   rel="down"
   type="application/vnd.vmware.vcloud.controlAccess+xml"
   href="https://vcloud.example.com/api/vApp/vapp-id/controlAccess/"/>

Use this kind of link to retrieve the access control settings for the vApp identified in the href value.

Links where rel="controlAccess".
```
<Link
   rel="controlAccess"
   type="application/vnd.vmware.vcloud.controlAccess+xml"
   href="https://vcloud.example.com/api/vApp/vapp-id/action/controlAccess/"/>
```
Use this kind of link to specify new access control settings for the vApp identified in the href value. You specify the new access control settings in a ControlAccessParams element that you post to the URL that the href value of this link specifies. See Update vApp Access Controls for an example.

Access Control for Catalogs

An administrator can control access to a catalog.A Virtual Infrastructure Administrator can control access to a catalog. Each Catalog element includes two types of access control links:

Links where rel="down".

<Link
   rel="down"
   type="application/vnd.vmware.vcloud.controlAccess+xml"
   href="https://vcloud.example.com/api/org/id/catalog/id/controlAccess/"/>

Use this kind of link to retrieve the access control settings for the catalog identified in the href value.

Links where rel="controlAccess".
```
<Link
   rel="controlAccess"
   type="application/vnd.vmware.vcloud.controlAccess+xml"
   href="https://vcloud.example.com/api/org/id/catalog/id/action/controlAccess/"/>
```
Use this kind of link to specify new access control settings for the catalog identified in the href value. You specify the new access control settings in a ControlAccessParams element that you post to the URL that the href value of this link specifies.

Important: These controlAccess links for catalogs are also returned in an Org element but their appearance in that context has been deprecated. They might be removed from Org elements in a future version of the VMware Cloud Director API .

Granting Access to All Members of an Organization

To specify access controls that apply to all members of an organization, an administrator can set IsSharedToEveryone to true and specify an access level in the EveryoneAccessLevel element.

To specify access controls that apply to all members of an organization, a Virtual Infrastructure Administrator can set IsSharedToEveryone to true and specify an access level in the EveryoneAccessLevel element.

The following ControlAccessParams element grants read access to all members of the organization.

<ControlAccessParams
   xmlns="http://www.vmware.com/vcloud/v1.5">
   <IsSharedToEveryone>true</IsSharedToEveryone>
   <EveryoneAccessLevel>ReadOnly</EveryoneAccessLevel>
</ControlAccessParams>

Granting Access to Individual Members of an Organization

To specify access controls that apply to specific users, an organization administrator can set IsSharedToEveryone to false and specify an access level in an AccessSettings element that the ControlAccessParams request contains.

To specify access controls that apply to specific users, a Virtual Infrastructure Administrator can set IsSharedToEveryone to false and specify an access level in an AccessSettings element that the ControlAccessParams request contains.

An AccessSettings element is populated with one or more AccessSetting elements, each of which assigns an access level to the user identified in the Subject element. The following ControlAccessParams element grants full control to one user and read-only access to another user.

<ControlAccessParams
   xmlns="http://www.vmware.com/vcloud/v1.5">
   <IsSharedToEveryone>false</IsSharedToEveryone>
   <AccessSettings>
      <AccessSetting>
         <Subject
            type="application/vnd.vmware.admin.user+xml"
            href="https://vcloud.example.com/api/admin/user/40"/>
         <AccessLevel>FullControl</AccessLevel>
      </AccessSetting>
      <AccessSetting>
         <Subject
            type="application/vnd.vmware.admin.user+xml"
            href="https://vcloud.example.com/api/admin/user/45"/>
         <AccessLevel>ReadOnly</AccessLevel>
      </AccessSetting>
   </AccessSettings>
</ControlAccessParams>

Viewing or Changing the Owner of a vApp or Catalog

Ownership of a VApp or Catalog object is expressed in an Owner element that you can retrieve from the object. This element contains a User element that identifies the owner with a reference to a specific user. The initial owner of an object is the user who created it.

A system administrator can view or change the owner of a VApp or Catalog object using the procedure documented in View or Change the Owner of an Object.

A Virtual Infrastructure Administrator can view or change the owner of a VApp or Catalog object using the procedure documented in View or Change the Owner of an Object.