vCloud Director implements a role-based authorization model. This section discusses the different identity sources, user types, authentication controls, roles, and rights present in vCloud Director. An understanding of this information is required to properly secure the system and provide the correct access to the right people.

A vCloud Director tenant organization can contain an arbitrary number of users and groups. Users can be created locally by the organization administrator or imported from an external directory service (LDAP) or identity provider (OAUTH, SAML). Imported users can be members of one or more groups. A user that is a member of multiple groups gets assigned all the roles assigned to those groups. Each organization is created with a default set of rights and a set of predefined roles that include combinations of those rights. A system administrator can grant additional rights to an organization, and organization administrators can use those rights to create custom roles that are local to the organization. Permissions within an organization are controlled through the assignment of rights and roles to users and groups.

No unauthenticated user is allowed to access any vCloud Director functionality through the Web console, Tenant Portal, or vCloud API. Each user authenticates using a username and password. Password re-try and account lockout policies can be configured globally and per organization.

Roles are groupings of rights that provide capabilities for the user assigned that role. Predefined roles include:
  • System Administrator
  • Organization Administrator
  • Catalog Author
  • vApp Author
  • vApp User
  • Console Access Only

The vCloud Director Administrator's Guide also identifies which rights are assigned to each of these roles. The purpose of that section is to help you choose the appropriate role for each type of user. For example, the vApp user role may be appropriate for an administrator that needs to power on and off virtual machines, but if they also need to edit the amount of memory assigned to a virtual machine, then vApp Author would be a more appropriate role. These roles may not have the exact sets of rights relevant to your tenants' organizations, so organization administrators can create custom roles. A description of what specific rights can be combined to create a useful custom role is outside the scope of this document.