In a cloud SDDC, VMware performs host administration and other tasks for you. Because of that, a Cloud Administrator requires fewer privileges than an Administrator user on an on-premises data center.

VMware assigns a different role on different objects to a cloud administrator: either the CloudAdmin role or the CloudGlobalAdmin role. As a result, you can either perform global tasks on that object, or you can perform specific tasks such as creating virtual machines or folders.

Table 1. Privileges in the Cloud SDDC

Privilege Set

CloudAdmin

CloudGlobalAdmin

Comment

Alarms

All Alarms privileges.

--

Auto Deploy

--

--

VMware performs host management.

Content Library

--

All Content Library privileges

Cryptographer--

--

--

Not supported in this version of the product.

Datacenter

--

--

VMware performs data center creation, deletion, and other data center operations.

Datastore

A CloudAdmin user has the following Datastore privileges:

  • Datastore > Allocate space

  • Datastore > Browse datastore

  • Datastore > Configure datastore

  • Datastore > Low level file operations

  • Datastore > Remove file

  • Datastore > Update virtual machine metadata

--

dvPort Group

--

--

VMware performs data center network operations.

Distributed Switch

--

--

VMware performs data center network operations.

ESX Agent Manager

--

--

VMware performs host management.

Extension

--

--

Not supported in the cloud SDDC

Folder

All Folder privileges.

--

Global

A CloudAdmin user has the following Global privileges:

  • Global > Cancel Task

  • Global > Global Tag

  • Global > Health

  • Global > Log Event

  • Global > Set custom attribute

  • Global > System Tag

A CloudGlobalAdmin user has the following Global privileges:

  • Global > Manage custom attributes

  • Global > Service manager

Host

A CloudAdmin user has the following Host privilege:

  • Host > vSphere Replication > Manage replication

--

VMware performs all other host management.

Hybrid Linked Mode

--

A CloudGlobalAdmin user has the following Hybrid Linked Mode privilege:

  • Hybrid Linked Mode > Manage

Not currently documented for the on-premises version of vSphere.

Inventory Service

--

All Inventory Service privileges.

Not currently documented for the on-premises version of vSphere.

Network

A CloudAdmin user has the following Network privilege:

  • Network > Assign network

--

VMware performs other network management tasks.

Performance

--

--

Permissions

--

Permissions > ModifyPermissions

Profile-driven Storage

--

All Profile-driven Storage privileges.

Resource

All Resource privileges.

Scheduled Task

A CloudAdmin user has the following Scheduled Task privilege:

  • Scheduled Task > Create

  • Scheduled Task > Delete

  • Scheduled Task > Edit

  • Scheduled Task > Run

A CloudGlobalAdmin user has the following Scheduled Task privilege:

  • Scheduled Task > Global Message

Sessions

--

A CloudGlobalAdmin user has the following Session privileges:

  • Sessions > Message

  • Sessions > Validate Session

Storage Views

A CloudAdmin user has the following Storage Views privilege:

  • Storage Views > View

--

System

All System privileges.

--

Task

--

--

Task privileges control the ability of extensions to manage tasks. VMware manages extensions for you.

vApp

All vApp privileges.

--

Virtual Machine

A CloudAdmin user has most Virtual Machine privileges.

The following privileges are NOT available:

  • Virtual Machine > Interaction > Create Secondary

  • Virtual Machine > Interaction > Disable Secondary

  • Virtual Machine > Interaction > Enable Secondary

  • Virtual Machine > Interaction > Make Primary

  • Virtual Machine > Interaction > Record

  • Virtual Machine > Interaction > Replay

--

vService

All vService privileges.

--