VMware Cloud on AWS limits your access to vSphere resources that VMware manages. It also prevents you from modifying default roles created in a new SDDC.

The service provider (VMware) is granted super-user privileges over all users, groups, rights, roles, and inventory objects in your organization. See Understanding Authorization in vSphere in the VMware vSphere Documentation for more information about roles and privileges in the system.

SDDC vCenter Roles

This role has the privileges necessary to create and manage SDDC workloads and related objects such as storage policies, content libraries, vSphere tags, and resource pools. This role cannot access or configure objects that are supported and managed by VMware, such as hosts, clusters, and management virtual machines. The CloudAdmin role can create, clone, or modify non-default roles. For detailed information about the privileges assigned to this role, see CloudAdmin Privileges.
This role has privileges to perform global level operations, ones that aren't specific to an object scope such as Certificate Management, ComputePolicy, Content Library, Cryptographic, HLM, Service Tagging, VM deploy template, customization specs, storage policies, sessions and vSAN Rekey. This role is a subset of the CloudAdmin role and is not assigned by default to any users or groups.
This role has the Modify Permission privilege and can grant read-only access to the management objects such as the Mgmt-ResourcePool, Management VMs folder, vmc-hostswitch, vsanDatastore, and Discovered Virtual machine folder.

All standard vCenter roles are also available, and any role with permissions that are less than or equivalent to those of the CloudAdmin user can be used in a custom role and granted to LDAP or SSO users.

SDDC vCenter Users and Groups

A new SDDC is populated with a single organization user account, cloudadmin@vmc.local. This user is a member of the vCenter CloudAdminGroup which has the CloudAdmin role as a Global permission as well as the CloudAdminRestrictedAccess role on management objects. Although this role does not have permission to create local vCenter users or groups, it has permission to configure vCenter Single Sign-On and Hybrid Linked Mode, which allow access to the SDDC vCenter by single sign-on users. See Configuring Hybrid Linked Mode. The CloudAdminGroup has the CloudAdmin role as a Global permission, as well as the CloudAdminRestrictedAccess role on management objects. See VMware Knowledge Base article 56489 for information about adding LDAP groups to the CloudAdminGroup. It is not supported to create local or SSO users or groups in the SDDC vCenter.

AWS Roles

To create an SDDC, VMware must add several required AWS roles and permissions to your AWS account. For more information, see Account Linking and the VMware Cloud on AWS CloudFormation Template

You must not change any of the remaining AWS roles and permissions. Doing so will render your SDDC inoperable.