Organization members are assigned organization roles and service roles. As an organization owner, you can change both kinds of role assignments for members of your organization.

Organization roles specify the privileges that an organization member has over organization assets. Service roles specify the privileges that an organization member has when accessing VMware Cloud Services that the organization uses. All service roles can be assigned and changed by a user with organization owner privileges, so restrictive roles such as Administrator (Delete Restricted) or NSX Cloud Auditor should be assigned along with the role of organization member to prevent modification.

When multiple service roles are assigned to an organization member, permissions are granted for the most permissive role. For example, if you assign an organization member both the Administrator role and the Administrator (Delete Restricted) role, the less restrictive Administrator permissions apply, allowing deletion of SDDCs and clusters.

Procedure

  1. On the VMware Cloud Services toolbar, click Identity & Access Management.
  2. Select a user and click Edit Roles to open the Edit Roles page.
  3. To assign an organization role, select a role name from the Assign Organization Roles drop-down control.
    For information about Organization Roles, see Managing Users and Permissions in the VMware Cloud Services documentation.
  4. To assign a VMC service role, select the VMware Cloud on AWS service name under Assign Service Roles and select a VMware Cloud on AWS service role to assign.
    The following roles are available:
    Administrator
    This role has full cloud administrator rights to all service features in the VMware Cloud on AWS console.
    Administrator (Delete Restricted).
    This role has full cloud administrator rights to all service features in the VMware Cloud on AWS console but cannot delete SDDCs or clusters.
    NSX Cloud Auditor
    When combined with an Administrator or Administrator (Delete Restricted) role, this role can view NSX service settings and events but cannot make any changes to the service.
    NSX Cloud Admin
    When combined with an Administrator or Administrator (Delete Restricted) role, this role can perform all tasks related to deployment and administration of the NSX service.
    Important:

    Administrative access to the VMC Console and its Networking & Security tab requires both an Administrator or Administrator (Delete Restricted) role and an NSX role.

  5. Click SAVE to save your changes.

What to do next

Ensure that any users whose roles were changed log out and log back in for the changes to take effect.