Managing VMware Cloud Director Rights and Roles

A right is the fundamental unit of access control in VMware Cloud Director. A role associates a role name with a set of rights. Each organization can have different rights and roles.

VMware Cloud Director uses roles and their associated rights to determine whether a user or group is authorized to perform an operation. Many of the procedures documented in the VMware Cloud Director guides include a prerequisite role. These prerequisites assume that the named role is the unmodified predefined role or a role that includes an equivalent set of rights.

System administrators and sub-provider administrators can use rights bundles and global tenant roles to manage the rights and roles that are available to each organization.

After you install VMware Cloud Director, the system contains only the System Rights Bundle, which includes all rights that are available in the system. The System Rights Bundle is not published to any organization. The system also contains built-in global tenant roles that are published to all organizations managed by the system organization, except for the sub-provider administrator role which is not published by default. For information about the predefined roles, see Predefined VMware Cloud Director Roles and Their Rights.

In addition to the System Rights Bundle, the system might contain a Legacy Rights Bundle for each existing organization. Each Legacy Rights Bundle includes the rights that are available in the associated organization at the time of the upgrade and is published only to this organization.

Note: To begin using the rights bundles model for an existing organization, you must delete the corresponding Legacy Rights Bundle.

Note:

VMware Cloud Director provides OpenAPIs for managing rights and roles. For information about the VMware Cloud Director OpenAPI, see Getting Started with VMware Cloud Director OpenAPI at https://developer.broadcom.com/.

Rights Terminology

Right

Each right provides view or manage access to a particular object type in VMware Cloud Director. Rights belong to different categories depending on the objects to which they relate, for example, vApp, Catalog, Organization, and so on. The provider organization contains all rights available in the system. The system administrator defines the rights that are available to each organization. Sub-providers can define the rights available to the organizations they manage. You cannot create or modify the rights included in VMware Cloud Director.

Rights Bundle

System administrators can use rights bundles to manage the rights that are available to each organization. A rights bundle is a set of rights that the system administrator can publish to one or more organizations. The system administrator or sub-provider administrator can create and publish rights bundles that correspond to tiers of service, separately monetizable functionality, or any other arbitrary rights grouping. System administrators and sub-provider administrators can publish rights bundles only to organizations that they manage directly, for example, a provider cannot publish a rights bundle to a tenant organization that a sub-provider manages. Only system administrators and sub-provider administrators can view and manage the rights bundles. Administrators can publish multiple bundles to the same organization.

Classification of Rights

Starting with version 10.6, VMware Cloud Director classifies rights into three groups: Provider, Sub-provider, and Tenant rights. The provider rights are applicable only to providers and cannot be assigned or visible to anyone else. Providers can publish the sub-provider rights to their direct tenants, giving them sub-provider capabilities, but sub-provider administrators cannot publish the sub-provider rights to the tenant organizations they manage. The tenant rights are regular rights that can be assigned to anyone.

If you want to see a list of all VMware Cloud Director rights with API rights' names, UI rights' names, rights classifications, UI right categories, and so on, see the VMware Cloud Director 10.6 Rights file in CSV format.

Alternatively, you can find out the rights classifications when using the VMware Cloud Director API, VMware Cloud Director returns the isPublishable field with each right. The field is true or false depending on the classification and the context that you make the call from. For example, a sub-provider classified right is true in the provider context, but false in the sub-provider context.

Organization Rights: Organization rights are the full set of rights that are available to an organization. Organization rights can comprise multiple rights bundles, but the organization administrators and users see a flat set of rights that they can use to create and modify tenant-specific roles.

Roles Terminology

Role

A role is a set of rights that is assignable to one or more users and groups. When you create or import a user or group, you must assign it a role.

Provider Roles

Provider roles are the set of roles that are available only to the provider organization. System administrators can assign provider roles only to provider users. System administrators can create custom provider roles.

Sub-Provider Role

Starting with VMware Cloud Director 10.6, system administrators can publish the necessary rights to an organization so that it becomes a sub-provider organization. A user with the predefined sub-provider administrator role can create and manage organizations and organization VDCs, manage users and groups in the sub-provider's organizations and assign them roles, including the predefined sub-provider administrator role. The sub-provider administrator operates within the sub-provider organization. The sub-provider administrator role can create and publish both global roles and rights bundles.

For more information about the sub-provider role, see Overview of VMware Cloud Director Administration. For the full list of sub-provider rights, see VMware Cloud Director Rights in Predefined Global Tenant Roles.

Tenant Roles

Tenant roles are the set of roles available to an organization.

System administrators and sub-provider administrators can create and edit global tenant roles and publish them to one or more organizations. System administrators and sub-provider administrators can publish global tenant roles only to organizations that they manage directly, for example, a provider cannot publish a global tenant role to a tenant organization that a sub-provider manages. Administrators can assign global tenant roles to tenant users in the organizations to which they are published. Organization administrators cannot edit global tenant roles.

Note: Tenant users can use only those rights from their roles that are published to their organizations.

Tenant-Specific Roles

Organization administrators can create and edit tenant-specific roles, which are local to their organizations. Tenant-specific roles can be assigned only to tenant users in the organization to which they belong. Tenant-specific roles can contain a subset of the organization rights only.

For information about managing tenant-specific roles, see VMware Cloud Director Sub-Provider and Tenant Guide.