Each VMware Cloud Director predefined role contains a default set of rights required to perform operations included in common workflows. By default, all predefined global tenant roles are published to every organization in the system.
Predefined Provider Roles
By default, the provider roles that are local only to the provider organization are the System Administrator and Multisite System roles. System administrators can create additional custom provider roles.
- System Administrator
-
The System Administrator role exists only in the provider organization. The System Administrator role includes all rights in the system. For a list of rights available only to the System administrator role, see the VMware Cloud Director Service Provider Admin Guide. The System administrator credentials are established during installation and configuration. A System Administrator can create additional system administrator and user accounts in the provider organization.
- Multisite System
- Used for running the heartbeat process for multisite deployments. This role has only a single right, Multisite: System Operations, which gives a permission to make a Cloud Director OpenAPI request that retrieves the status of the remote member of a site association.
Predefined Global Tenant Roles
By default, the predefined global tenant roles and the rights they contain, except for the Sub-Provider Administrator, are published to all organizations. System Administrators can unpublish rights and global tenant roles from individual organizations. System Administrators can edit or delete predefined global tenant roles. System administrators can create and publish additional global tenant roles. You can publish global tenant roles only to your direct tenants, in other words, you can publish global tenant roles only to the organizations you manage directly.
All of the default global roles that the service provider publishes to your organization
- Sub-Provider Administrator
-
After creating an organization, a
System Administrator can assign the role of
Sub-Provider Administrator to any user in the organization. A user with the predefined
Sub-Provider Administrator role can create and manage organizations and organization VDCs, manage users and groups in the sub-provider's organizations and assign them roles, including the predefined
Sub-Provider Administrator role. Roles created in the sub-provider organization are not visible to the tenants that the sub-provider manages. Global roles created in the sub-provider organization and then published are visible to the managed organizations that the global role is published to.
For more information about the sub-provider role, see . For the full list of sub-provider rights, see VMware Cloud Director Rights in Predefined Global Tenant Roles.
- Organization Administrator
- After creating an organization, a System Administrator or a Sub-Provider Administrator can assign the role of Organization Administrator to any user in the organization. A user with the predefined Organization Administrator role can manage users and groups in their organization and assign them roles, including the predefined Organization Administrator role. Roles created or modified by an Organization Administrator are not visible to other organizations.
- Catalog Author
- The rights associated with the predefined Catalog Author role allow a user to create and publish catalogs.
- vApp Author
- The rights associated with the predefined vApp Author role allow a user to use catalogs and create vApps.
- vApp User
- The rights associated with the predefined vApp User role allow a user to use existing vApps.
- Console Access Only
- The rights associated with the predefined Console Access Only role allow a user to view virtual machine state and properties and to use the guest OS.
- Defer to Identity Provider
-
Rights associated with the predefined
Defer to Identity Provider role are determined based on information received from the user's OAuth or SAML Identity Provider. To qualify for inclusion when a user or group is assigned the
Defer to Identity Provider role, a role or group name supplied by the Identity Provider must be an exact, case-sensitive match for a role or group name defined in your organization.
- If an OAuth Identity Provider defines the user, the user is assigned the roles named in the roles array of the user's OAuth token.
- If a SAML Identity Provider defines the user, the user is assigned the roles named in the SAML attribute whose name appears in the RoleAttributeName element, which is in the SamlAttributeMapping element in the organization's OrgFederationSettings.
Except the Defer to Identity Provider role, each predefined role includes a set of default rights. Only a System Аdministrator can modify the rights in a predefined role. If a System administrator modifies a predefined role, the modifications propagate to all instances of the role in the system.
Rights in Predefined Global Tenant Roles
Various rights are common to multiple predefined global roles. These rights are granted by default to all new organizations, and are available for use in other roles created by the Sub-Provider Administrator or the Оrganization Аdministrator. For a list of the rights in predefined tenant roles, see VMware Cloud Director Rights in Predefined Global Tenant Roles.