A right is the fundamental unit of access control in vCloud Director. A role associates a role name with a set of rights. Each organization can have different rights and roles.
vCloud Director uses roles and their associated rights to determine whether a user or group is authorized to perform an operation. Many of the procedures documented in the vCloud Director guides include a prerequisite role. These prerequisites assume that the named role is the unmodified predefined role or a role that includes an equivalent set of rights.
vCloud Director 9.5 introduces rights bundles and global tenant roles which system administrators can use to manage the rights and roles that are available to each organization.
After you install vCloud Director, the system contains only the System Rights Bundle, which includes all rights that are available in the system. The System Rights Bundle is not published to any organization. The system also contains built-in global tenant roles that are published to all organizations. For information about the predefined roles, see Predefined Roles and Their Rights.
After you upgrade vCloud Director from version 9.1 or earlier, in addition to the System Rights Bundle, the system contains a Legacy Rights Bundle for each existing organization. Each Legacy Rights Bundle includes the rights that are available in the associated organization at the time of the upgrade and is published only to this organization.
If you upgraded vCloud Director from version 9.1 or earlier, the existing role templates are published to all organizations as global tenant roles, and the existing roles that are unlinked from role templates are available as tenant-specific roles to their organizations.
- Each right provides view or manage access to a particular object type in vCloud Director. Rights belong to different categories depending on the objects to which they relate, for example, vApp, Catalog, Organization, and so on. The Provider organization contains all rights available in the system. The system administrator defines the rights that are available to each organization. You cannot create or modify the rights included in vCloud Director.
- Rights Bundle
System administrators can use rights bundles to manage the rights that are available to each organization. A rights bundle is a set of rights that the system administrator can publish to one or more organizations. The system administrator can create and publish rights bundles that correspond to tiers of service, separately monetizable functionality, or any other arbitrary rights grouping. Only system administrators can view and manage the rights bundles. You can publish multiple bundles to the same organization.
For information about managing right bundles, see vCloud Director Service Provider Admin Portal Guide.
- Organization Rights
- Organization rights are the full set of rights that are available to an organization. Organization rights can comprise multiple rights bundles, but the organization administrators and users see a flat set of rights that they can use to create and modify tenant-specific roles.
- A role is a set of rights that is assignable to one or more users and groups. When you create or import a user or group, you must assign it a role.
- Provider Roles
Provider roles are the set of roles that are available only to the Provider organization. Provider roles can be assigned only to Provider users. System administrators can create custom provider roles.
For information about managing provider roles, see vCloud Director Service Provider Admin Portal Guide.
- Tenant Roles
Tenant roles are the set of roles available to an organization.
System administrators can create and edit global tenant roles and publish them to one or more organizations. Global tenant roles can be assigned to tenant users in the organizations to which they are published. Organization administrators cannot edit global tenant roles.
For information about managing global tenant roles, see vCloud Director Service Provider Admin Portal Guide.Note: Tenant users can use only those rights from their roles that are published to their organizations.
- Tenant-Specific Roles
Organization administrators can create and edit tenant-specific roles, which are local to their organizations. Tenant-specific roles can be assigned only to tenant users in the organization to which they belong. Tenant-specific roles can contain a subset of the organization rights only.
For information about managing tenant-specific roles, see vCloud Director Tenant Portal Guide.