As a system administrator, you can create global tenant roles and publish them to one or more VMware Cloud Director organizations that you manage. You can edit and delete existing global tenant roles. You can unpublish global tenant roles from individual organizations that you manage.

After the initial VMware Cloud Director installation and setup, the system contains a set of predefined global tenant roles that are published to all organizations. See Predefined VMware Cloud Director Roles and Their Rights.

Create a Global Tenant Role in Your VMware Cloud Director

You can create a global tenant role that you can publish to one or more VMware Cloud Director organizations in your system.

After the initial VMware Cloud Director installation and setup, the system contains predefined global tenant roles that are published to all organizations. For information about the predefined roles, see Predefined VMware Cloud Director Roles and Their Rights.

You can add custom global roles to your system.

Procedure

  1. From the primary left navigation panel, select Administration.
  2. From the secondary left panel, under Tenant Access Control, select Global Roles.
  3. Click New.
  4. Enter a name and, optionally, a description for the new role.
  5. Select the rights that you want to associate with the role.
    The rights are grouped in categories and subcategories for view or manage access to the object to which they relate.

    You can select the rights individually, by view or manage by subcategory, or by view or manage globally.

    Category Description
    Access Control Contains rights for viewing and managing organizations, rights, roles, and users.
    Administration Contains rights for viewing and managing general and multisite setting.
    Compute Contains rights for viewing and managing organization and provider VDCs, vApps, organization VDC templates, and VM monitoring.
    Extensions Contains rights for viewing and managing VMware Cloud Director plug-ins and extensions.
    Infrastructure Contains rights for viewing and managing vSphere resources.
    Libraries Contains rights for viewing and managing catalogs and catalog items.
    Networking Contains rights for viewing and managing network resources.
  6. Click Save.

Results

Upon its creation, the new global tenant role is available only to the VMware Cloud Director Provider organization.

What to do next

You can publish the newly created role to one or more organizations in your system. See Publish or Unpublish a Global Tenant Role to Your VMware Cloud Director.

Clone a Global Tenant Role to Your VMware Cloud Director

You can use an existing global tenant role as a template for the creation of a new role.

Prerequisites

Verify that you have the rights to add new roles to VMware Cloud Director.

Procedure

  1. From the primary left navigation panel, select Administration.
  2. From the secondary left panel, under Tenant Access Control, select Global Roles.
  3. Select the role that you want to clone and click Clone.
  4. In the Clone Global Role window, enter a name and description for the cloned role.
  5. (Optional) To edit the cloned rights, turn on the Modify Selected Rights toggle, and select or deselect the rights you want to change for the cloned role.
  6. Click Save.

Publish or Unpublish a Global Tenant Role to Your VMware Cloud Director

You can publish a global tenant role to one or more VMware Cloud Director organizations in your system. After you publish a role to an organization, this role becomes a part of the organization set of tenant roles.

Prerequisites

To unpublish a global tenant role from an organization, verify that no user is assigned with this role in the organization.

Procedure

  1. From the primary left navigation panel, select Administration.
  2. From the secondary left panel, under Tenant Access Control, select Global Roles.
  3. If you want to publish a role, select the radio button next to the target role, and click Publish.
    1. Turn on the Publish to Tenants toggle.
    2. Select the organizations to which you want to publish the role.
      • If you want to publish the role to all existing and newly created organizations in your system, select Publish to All Tenants.
      • If you want to publish the role to one or more organizations in your system, select the organizations individually.
  4. If you want to unpublish a role, select the radio button next to the target role, and click Publish.
    • To unpublish the role from all organizations in your system, turn off the Publish to Tenants toggle.
    • To unpublish the role from specific organizations in your system, turn off the Publish to All Tenants toggle, and deselect the organizations individually.
  5. Click Save.

Results

The published role is available in the selected organizations and can be assigned to users in these organizations. Organization administrators cannot edit global tenant roles that are published to their organizations.

The unpublished role is removed from the selected organizations and cannot be assigned to users in these organizations.

View and Edit a Global Tenant Role Using Your VMware Cloud Director

You can view the rights that are included in a global tenant role. You can modify the name, the description, and the rights of a global tenant role.

Procedure

  1. From the primary left navigation panel, select Administration.
  2. From the secondary left panel, under Tenant Access Control, select Global Roles.
  3. Click the name of the target role.
    You can view the rights that are associated with the role by expanding the right categories.
  4. To modify the name, the description, or the rights of the role, click Edit.
  5. Edit the role and click Save.

Results

If you modified the rights of the role, VMware Cloud Director applies the new set of rights is applied to the users across all organizations that you manage that are assigned with this role.

Delete a Global Tenant Role From Your VMware Cloud Director

You can remove a global tenant role that you no longer use in your VMware Cloud Director organizations.

Prerequisites

The global tenant role that you want to delete must not be assigned to any user across all organizations.

Procedure

  1. From the primary left navigation panel, select Administration.
  2. From the secondary left panel, under Tenant Access Control, select Global Roles.
  3. Select the radio button next to the target role and click Delete.
  4. To confirm the deletion, click Delete.