vCloud Director includes predefined roles. Each of these roles includes a set of default rights.

System Administrator

The system administrator has super-user rights to all objects in the system. System administrator credentials are established during installation and configuration. A system administrator can create additional system administrator accounts. All system administrators are members of the system organization. You cannot modify the rights associated with this role.

Organization Roles

After creating an organization, a system administrator can assign the role of organization administrator to any user in the organization. An organization administrator has super-user rights within that organization, and can assign any of the predefined roles to the organization's users and groups.
Organization Administrator
An organization administrator can assign the role of organization administrator to any member of an organization.
Catalog Author
The rights associated with the catalog author role allow a user to create and publish catalogs.
vApp Author
The rights associated with the vApp Author role allow a user to use catalogs and create vApps.
vApp User
The rights associated with the vApp User role allow a user to use existing vApps.
Console Access Only
The rights associated with the Console Access Only role allow a user to view virtual machine state and properties and to use the guest OS.
Defer to Identity Provider
Rights will be determined based on information received from the user's OAuth or SAML Identity Provider. To qualify for inclusion when a user or group is assigned the Defer to Identity Provider role, a role or group name supplied by the Identity Provider must be an exact, case-sensitive match for a role or group name defined in your organization.
  • If the user is defined by an OAuth Identity Provider, the user will be assigned the roles named in the roles array of the user's OAuth token.
  • If the user is defined by a SAML Identity Provider, the user will be assigned the roles named in the SAML attribute whose name appears in the RoleAttributeName element in the organization's OrgFederationSettings.
If a user is assigned the Defer to Identity Provider role but no matching role or group name is available in your organization, the user can log in to the organization but has no rights. If an Identity Provider associates a user with a system-level role such as System Administrator, the user can log in to the organization but has no rights. You must manually assign a role to such users.

With the exception of the Defer to Identity Provider role, each predefined role includes a set of default rights. If an organization administrator modifies the set of rights associated with a predefined role, those modifications apply only in the context of that organization. If a system administrator modifies the set of rights associated with a predefined role, those modifications apply to all organizations in the system.

You classify rights according to the objects to which they apply.

Rights Associated with Catalogs

Table 1. Rights Associated With Catalogs
Description Admin Catalog Author vApp Author vApp User Console Access Only
Catalog: Add vApp from My Cloud Permission to add a vApp to a catalog from My Cloud. X X X
Catalog: Change Owner Permission to change the owner of a catalog. X
Catalog: Create/Delete a Catalog Permission to create and delete catalogs. X X
Catalog: Edit Catalog Properties Permission to edit catalog properties. X X
Catalog: Allow External Publishing/Subscriptions for the Catalogs Permission to publish catalogs for external consumption and to subscribe to external catalog feeds. X X
Catalog: Share a Catalog to Users/Groups within Current Organization Permission to share catalogs to users and groups in the same organization. X X
Catalog: View Private and Shared Catalogs within Current Organization Permission to view both private and shared catalogs in the organization. X X X
Catalog: View Shared Catalogs from Other Organizations Permission to view catalogs shared from other organizations. X

Rights Associated with Independent Disks

Table 2. Rights Associated With Independent Disks
Description Admin Catalog Author vApp Author vApp User Console Access Only
Disk: Create Permission to create independent disks. X X X
Disk: Delete Permission to delete independent disks. X X X
Disk: Edit Properties Permission to edit the properties of an independent disk. X X X
Disk: View Properties Permission to view the properties of an independent disk. X X X X

Rights Associated with vApp Templates and Media

Table 3. Rights Associated With vApp Templates and Media
Description Admin Catalog Author vApp Author vApp User Console Access Only
Catalog Item: Add to My Cloud Permission to add a vApp template or media file to My Cloud. X X X X
Catalog Item: Copy/Move a vApp Template/Media Permission to copy and move vApp templates and media files. X X X
Catalog Item: Create/Upload a vApp Template/Media Permission to create and upload vApp templates and media files. X X
Catalog Item: Enable vApp Template/Media Download Permission to enable a vApp template or media item to be downloaded. X X
Catalog Item: Edit vApp Template/Media Properties Permission to edit the properties of a vApp template or media file. X X
Catalog Item: View vApp Templates/Media Permission to view vApp templates and media files. X X X X

Rights Associated with vApps and Virtual Machines

Table 4. Rights Associated With vApps
Description Admin Catalog Author vApp Author vApp User Console Access Only
vApp: Change Owner Permission to change the owner of a vApp. X
vApp: Copy a vApp Permission to copy a vApp. X X X X
vApp: Create/Reconfigure a vApp Permission to create and reconfigure vApps. X X X
vApp: Delete a vApp Permission to delete a vApp. X X X X
vApp: Download a vApp Permission to download a vApp. X X X X
vApp: Edit vApp Properties Permission to edit a vApp's properties. X X X X
vApp: Edit VM CPU Permission to edit virtual machine CPUs. X X X
vApp: Edit VM Hard Disk Permission to edit virtual machine hard disks. X X X
vApp: Edit VM Memory Permission to edit virtual machine memory. X X X
vApp: Edit VM Network Permission to edit virtual machine network configuration. X X X X
vApp: Edit VM Properties Permission to edit virtual machine properties. X X X X
vApp: Manage VM Password Settings Permission to edit virtual machine password settings. X X X X X
vApp: Start/Stop/Suspend/Reset a vApp Permission to start, stop, suspend, and reset a vApp X X X X
vApp: Share a vApp Permission to share vApps. X X X X
vApp: Create/Remove/Revert a Snapshot Permission to create, revert, and delete virtual machine snapshots. X X X X
vApp: Upload a vApp Permission to upload a vApp. X X X X
vApp: Access to a VM Console Permission to use the virtual machine console. X X X X X
vApp: View VM Metrics Permission to view virtual machine metrics. X X X
vApp: Insert CD Permission to insert a CD into any virtual machine in the vApp X X X X X
Allow metadata mapping domain to vCenter Permission to apply metadata in the VCENTER domain to a virtual machine X X X

Administrative Rights

All of these rights are granted to the system administrator throughout the system, and to an organization administrator within the organization. These rights are not granted to any other predefined role.

Table 5. Other Administrative Rights
Description Admin Catalog Author vApp Author vApp User Console Access Only
General: Administrator Control Permission to use all administrator privileges. X
General: Administrator View Permission to view vCloud Director as an administrator. X
General: Send Notification Permission to send vCloud Director user notifications. X
Gateway: Configure Services Permission to configure gateway services. X
Organization VDC Network: Edit Properties Permission to edit the properties of an organization virtual data center network. X
Organization VDC Network: View Properties Permission to view the properties of an organization virtual data center network. X
Organization VDC: Set Default Storage Policy Permission to set the default storage policy for an organization virtual data center. X
Organization VDC: View Organization VDCs Permission to view organization virtual data centers. X
Organization: Allow Access to All Organization VDCs Permission to access all organization virtual data centers through vCloud Air X
Organization: Edit Federation Settings Permission to edit an organization's federation settings. X
Organization: Edit Leases Policy Permission to edit an organization's leases policy. X
Organization: Edit Organization Network Properties Permission to edit an organization's network properties X
Organization: Edit Organization Properties Permission to edit organization properties. X
Organization: Edit Password Policy Permission to edit an organization's password policy. X
Organization: Edit Quotas Policy Permission to edit an organization's quotas policy. X
Organization: Edit SMTP Settings Permission to edit an organization's SMTP settings. X
Organization: Edit Organization Associations Permission to edit an organization's associations. X
Organization: Implicitly Import User/Group from IdP While Editing VDC ACL Permission to import vCloud Director users and groups while editing VDC Access Control Lists in vCloud Air X
Organization: Edit Access Control List of Organization VDCs Permission to edit the vCloud Air Access Control Lists of organization virtual data centers X
Organization: View Access Control List of Organization VDCs Permission to view the vCloud Air Access Control Lists of organization virtual data centers X
Organization: View Organization Networks Permission to view organization networks. X
Organization: View Organizations Permission to view organizations. X
Organization: Edit Operation Limits Permission to edit an organization's OrgOperationLimitsSettings. X (system administrator only)

Rights Not Associated With Any Predefined Role

The following rights are not associated with any predefined role:
  • vApp: Preserve All ExtraConfig Elements During OVF Import and Export
  • vApp: Preserve Latency ExtraConfig Elements During OVF Import and Export
  • vApp: Preserve Ethernet-Coalescing ExtraConfig Elements During OVF Import and Export
  • vApp: Preserve NUMA Node Affinity ExtraConfig Elements During OVF Import and Export