Users of VMware Cloud™ on AWS have different permissions on different objects in the object hierarchy. Each permission gives one user or group a set of privileges, that is, a role for that object.

Figure 1. Permissions
Several privileges are combined in a role. The role is assigned to users or groups.

Permissions in VMware Cloud™ on AWS

Permissions are initially set by VMware. For example, when you log in as cloudadministrator, you might have the CloudAdmin role on a ComputeResourcePool object and the CloudGlobalAdmin role on a ManagementResourcePool object. If have the privileges associated with CloudAdmin on ComputeResourcePool, then you can create and manage virtual machines there. If you have the privileges associated with CloudGlobalAdmin on ManagementResourcePool, then you cannot create and manage virtual machines, but you can perform some other global tasks, for example content library management.

Permissions Background Information

The permission model of VMware Cloud™ on AWS is simpler than the model for an on-premises vSphere environment. If you're interested in some background information, here are the basic concepts.


Privileges are fine-grained access controls.


Roles are sets of privileges. Roles allow you to assign permissions on an object based on a typical set of tasks that users perform. Default roles are predefined and cannot be changed. VMware Cloud™ on AWS does not support custom roles.


Each object in the object hierarchy has associated permissions. Each permission specifies for one group or user which privileges that group or user has on the object.

Users and Groups

The Hybrid Linked Mode feature allows a CloudAdmin to limit permissions for some users or groups on parts of the object hierarchy.