Every SDDC defines a role named CloudAdmin. An organization member in this role has administrative rights over all objects owned by the organization.

SDDC Roles

The CloudAdmin role has the necessary privileges for you to create and manage workloads on your SDDC. However, you cannot access or configure objects that are supported and managed by VMware, such as hosts, clusters, and management virtual machines. For detailed information about the privileges assigned to this role, see CloudAdmin Privileges.
The CloudGlobalAdmin role is associated with global privileges and allows you to create and manage content library objects and perform some other global tasks.

The CoudGlobalAdmin role, which has a subset of the privileges granted to the CloudAdmin role, is deprecated as of SDDC version 1.7.

Understanding Authorization in vSphere in the vSphere Documentation has more information about roles and rights in the system.

The CloudAdmin is responsible for creating users, groups, and roles in the SDDC, typically by using vCenter Single Sign-On and Hybrid Linked Mode. For the majority of use cases, rights and roles in the SDDC vCenter can be configured the same way that they are in an on-premises vCenter linked to the SDDC with Hybrid Linked Mode, so that your organization's workflows can benefit from having the same access controls in both environments.

Because it is a service, VMware Cloud on AWS limits access by all tenants (organization members) to vSphere resources that must remain under the control of the service provider (VMware). It also places limitations on the rights you can associate with roles you create, and prevents you from modifying the CloudAdmin role or any roles that have more rights than the CloudAdmin role. The service provider is granted super-user rights over all users, groups, rights, roles, and inventory objects in your organization.

See Understanding Authorization in vSphere in the VMware vSphere Documentation for more information about roles and rights in the system.

AWS Roles

To create an SDDC, VMware must add several required AWS roles and permissions to your AWS account. Most permissions are removed from these roles after the SDDC has been created. The others remain with the roles in your AWS account.


You must not change any of the remaining AWS roles and permissions. Doing so will render your SDDC inoperable.

For more information, see AWS Roles and Permissions