Use the vSphere Client view the privileges granted to vCenter users regardless of whether those users are defined in the default vSphere Single Sign-On domain or in an identity provider like Active Directory.

In addition to the roles and permissions described in vCenter Server System Roles, the vCenter Server in your SDDC includes a predefined role that is not present in your on-premises vCenter:
CloudAdmin Role
The CloudAdmin role has the privileges necessary to create and manage SDDC workloads and related objects such as storage policies, content libraries, vSphere tags, and resource pools. This role cannot access or configure objects that are supported and managed by VMware, such as hosts, clusters, and management virtual machines. The CloudAdmin role can create, clone, or modify non-default roles. For detailed information about the privileges assigned to this role, see CloudAdmin Privileges.
Note:

The CloudAdmin user can grant other users or groups read-only access to VMware Cloud on AWS vCenter management objects such as the Mgmt-ResourcePool, Management VMs folder, Discovered Virtual Machines folder, vmc-hostswitch, and vsanDatastore. Because this read-only access does not propagate to management objects, you cannot grant it as a Global Permission and instead must explicitly grant it for each management object. VMware Cloud on AWS runs a script once a day that updates any newly-created management objects (such as objects in a new cluster) so that the CloudAdmin user and CloudAdminGroup SSO group have the updated role applied. The script itself does not grant additional access to any user or group, so you'll need to wait until it completes before the CloudAdmin can use this workflow to grant read-only access to those objects.

VMware Cloud on AWS also defines a set of Service Roles that you manage in the VMware Cloud Services console and a set of Organization Roles that are assigned as part of inviting new users. These roles can further restrict the rights that organization members have to vSphere objects in the SDDC. See Assign a Service Role to an Organization Member and Invite a New User.

Procedure

  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
  2. Click Inventory > SDDCs, then pick an SDDC card and click OPEN VCENTER.
  3. Use the vSphere Client to select an object in the object hierarchy, for example a resource pool or virtual machine, and click Permissions.
  4. You can then view the privileges associated with each group.
    1. On the vSphere Client Home page, click Administration.
    2. Under Access Control, click Roles.
    3. Click a role name (CloudAdmin, for example).
    4. Click the Privileges tab on the right.

Results

You can scroll through the list to see the privileges granted to the selected role. See Defined Privileges for a detailed list of all vSphere privileges.