Organization members are assigned organization roles and service roles. As an organization owner, you can change both kinds of role assignments for members of your organization.

Organization roles specify the privileges that an organization member has over organization assets. Service roles specify the privileges that an organization member has when accessing VMware Cloud Services that the organization uses. All service roles can be assigned and changed by a user with organization owner privileges, so restrictive roles such as Administrator (Delete Restricted) or NSX Cloud Auditor should be assigned along with the role of organization member to prevent modification.

When multiple service roles are assigned to an organization member, permissions are granted for the most permissive role. For example, when an organization member who has both the Administrator role and the Auditor role, the more permissive Administrator permissions apply.


  1. On the VMware Cloud Services toolbar, click Identity & Access Management.
  2. Select a user and click Edit Roles to open the Edit Roles page.
  3. To assign an organization role, select a role name.
    Every organization member must have at least one the Mandatory Roles and can have zero or more of these Additional Roles.
    Table 1. Organization Roles
    Role Name Rights in this Role
    Access Log Auditor Access log auditors have read-only access to VMware Cloud Services audit records for this SDDC.
    Billing Read-only Billing Read-only users can view but not modify billing information such as invoices and subscriptions,for one Organization.
    Developer Developers can create and manage OAuth apps to authorize the third-party apps they build to access protected resources.
    Project Administrator Project administrators have full administrative access to projects to which they have been assigned. They can edit and manage access to the project and its resources.
    For more information about organization roles, see Managing Users and Permissions in the VMware Cloud Services documentation.
  4. Assign a VMware Cloud on AWS service role.
    Select the VMware Cloud on AWS service name under Assign Service Roles and select one or more VMware Cloud on AWS service roles from the drop-down control. The following VMware Cloud on AWS service roles are available:
    Table 2. VMware Cloud on AWS Service Roles
    Role Name Rights in this Role
    Administrator Full cloud administrator rights to all VMware Cloud on AWS service features.
    NSX Cloud Admin Perform all tasks related to deployment and administration of the NSX service.
    Administrator (Delete Restricted) Full cloud administrator rights to all VMware Cloud on AWS service features but cannot delete SDDCs or clusters.
    NSX Cloud Auditor View NSX service settings and events but cannot make any changes to the service.
  5. (Optional) Assign an NSX service role.

    Administrative access to the VMware Cloud Console legacy Networking & Security tab requires both a VMware Cloud on AWS service role and an NSX service role.

    See Assign NSX Service Roles to Organization Members for more information about NSX service roles.

  6. Click SAVE to save your changes.

What to do next

Ensure that any users whose roles were changed log out and log back in so that the changes take effect.