The service provider (VMware) is granted super-user rights over all users, groups, rights, roles, and inventory objects in your organization. See Understanding Authorization in vSphere in the VMware vSphere Documentation for more information about roles and rights in the system.

SDDC vCenter Roles

CloudAdmin

The CloudAdmin role has the privileges necessary to create and manage SDDC workloads and related objects such as storage policies, content libraries, vSphere tags, and resource pools. This role cannot access or configure objects that are supported and managed by VMware, such as hosts, clusters, and management virtual machines. The CloudAdmin role can create, clone, or modify non-default roles. For detailed information about the privileges assigned to this role, see CloudAdmin Privileges.

CloudGlobalAdmin

The CloudGlobalAdmin role is an internal role that must exist during SDDC deployment but can be removed by a CloudAdmin after deployment is complete.

SDDC vCenter Users and Groups

A new SDDC is populated with a single organization user account, cloudadmin@vmc.local. This user is a member of the vCenter CloudAdminGroup and has the vCenter role of CloudAdmin. Although this role does not have rights to create local vCenter users or groups in the SDDC, it has rights to configure vCenter Single Sign-On and Hybrid Linked Mode, which allow access to the SDDC vCenter by single sign-on users. See Configuring Hybrid Linked Mode in Managing the VMware Cloud on AWS Data Center.

AWS Roles

To create an SDDC, VMware must add several required AWS roles and permissions to your AWS account. Most permissions are removed from these roles after the SDDC has been created. The others remain with the roles in your AWS account.

For more information, see Account Linking and the VMware Cloud on AWS CloudFormation Template