Global privileges control system-wide operations, such as viewing and changing global settings. Roles that contain only global privileges cannot be applied to access groups. In a Cloud Pod Architecture environment, roles that contain only global privileges also cannot be applied to federation access groups.

The following table describes the global privileges and lists the predefined roles that contain each privilege.

Table 1. Global Privileges
Privilege Privilege Set User Capabilities Predefined Roles
Bypass smartcard for API

API_SMART_CARD_BYPASS

Allows APIs credential based login when smartcard authentication mode is REQUIRED.
Collect Operation Logs

LOG_COLLECTION

GLOBAL_ADMIN_SDK_INTERACTIVE

GLOBAL_ADMIN_UI_INTERACTIVE

Collect operation logs for pools, farms, or Connection Server.
Console Interaction

GLOBAL_ADMIN_UI_INTERACTIVE

Log in to and use Horizon Console.
Note: VMware Horizon adds the Console Interaction privilege to new roles automatically. This privilege does not appear in the list of global privileges in Horizon Console.

Administrators

Administrators (Read only)

Inventory Administrators

Inventory Administrators (Read only)

Global Configuration and Policy Administrators

Global Configuration and Policy Administrators (Read only)

Helpdesk Administrators

Helpdesk Administrators (Read Only)

Local Administrators

Local Administrators (Read Only)

Direct Interaction

GLOBAL_ADMIN_SDK_INTERACTIVE

Run all PowerShell commands and command line utilities, except for vdmadmin and vdmimport.

Administrators must have the Administrators role on the root access group to use the vdmadmin, vdmimport, and lmvutil commands.

Note: VMware Horizon adds the Direct Interaction privilege to new roles automatically. This privilege does not appear in the list of global privileges in Horizon Console.

Administrators

Administrators (Read only)

Forensics

FORENSICS

Mark users as held for forensics tasks
Note: This task can currently be performed only by using the VMware Horizon Server API.
Manage Access Groups

GLOBAL_PERMISSION_VIEW

GLOBAL_ROLE_VIEW

FOLDER_VIEW

FOLDER_MANAGEMENT

GLOBAL_ADMIN_SDK_INTERACTIVE

GLOBAL_ADMIN_UI_INTERACTIVE

Add and remove access groups and, in a Cloud Pod Architecture environment, federation access groups.

Administrators

Local Administrators

Manage Certificates MANAGE_CERTIFICATES Request and import certificates
Manage Global Configuration and Policies

GLOBAL_CONFIG_MANAGEMENT

GLOBAL_CONFIG_VIEW

GLOBAL_ADMIN_SDK_INTERACTIVE

GLOBAL_ADMIN_UI_INTERACTIVE

View and modify global policies and configuration settings except for administrator roles and permissions.

Administrators

Global Configuration and Policy Administrators

Manage Roles and Permissions

GLOBAL_PERMISSION_MANAGEMENT

GLOBAL_PERMISSION_VIEW

GLOBAL_ROLE_MANAGEMENT

GLOBAL_ROLE_PERMISSION_MANAGEMENT

GLOBAL_ROLE_VIEW

GLOBAL_ADMIN_SDK_INTERACTIVE

GLOBAL_ADMIN_UI_INTERACTIVE

Create, modify, and delete administrator roles and permissions. Administrators
Register Agent

GLOBAL_MACHINE_REGISTER

GLOBAL_ADMIN_SDK_INTERACTIVE

GLOBAL_ADMIN_UI_INTERACTIVE

Install Horizon Agent on unmanaged machines, such as physical systems, standalone virtual machines, and RDS hosts.

During Horizon Agent installation, you must provide your administrator login credentials to register the unmanaged machine with the Connection Server instance.

Administrators

Agent Registration Administrators

Manage vCenter Configuration (Read only)

VC_CONFIG_VIEW

GLOBAL_ADMIN_SDK_INTERACTIVE

GLOBAL_ADMIN_UI_INTERACTIVE

Read only access to the vCenter Server configuration.

Administrators

Administrators (Read only)

Inventory Administrators

Inventory Administrators (Read only)

Local Administrators

Local Administrators (Read Only)