Organization members are assigned organization roles and service roles. As an organization owner, you can change both kinds of role assignments for members of your organization.
Organization roles specify the privileges that an organization member has over organization assets. Service roles specify the privileges that an organization member has when accessing VMware Cloud Services that the organization uses. All service roles can be assigned and changed by a user with organization owner privileges, so restrictive roles such as Administrator (Delete Restricted) or NSX Cloud Auditor should be assigned along with the role of organization member to prevent modification.
When multiple service roles are assigned to an organization member, permissions are granted for the most permissive role. For example, when an organization member who has both the Administrator role and the Auditor role, the more permissive Administrator permissions apply.
Procedure
What to do next
Ensure that any users whose roles were changed log out and log back in so that the changes take effect.