Global privileges control system-wide operations, such as viewing and changing global settings. Roles that contain only global privileges cannot be applied to access groups. In a Cloud Pod Architecture environment, roles that contain only global privileges also cannot be applied to federation access groups.
The following table describes the global privileges and lists the predefined roles that contain each privilege.
| Privilege | Privilege Set | User Capabilities | Predefined Roles |
|---|---|---|---|
| Bypass smartcard for API | API_SMART_CARD_BYPASS |
Allows APIs credential based login when smartcard authentication mode is REQUIRED. | |
| Collect Operation Logs | LOG_COLLECTION GLOBAL_ADMIN_SDK_INTERACTIVE GLOBAL_ADMIN_UI_INTERACTIVE |
Collect operation logs for pools, farms, or Connection Server. | |
| Console Interaction | GLOBAL_ADMIN_UI_INTERACTIVE |
Log in to and use Horizon Console.
Note: VMware Horizon adds the
Console Interaction privilege to new roles automatically. This privilege does not appear in the list of global privileges in
Horizon Console.
|
Administrators Administrators (Read only) Inventory Administrators Inventory Administrators (Read only) Global Configuration and Policy Administrators Global Configuration and Policy Administrators (Read only) Helpdesk Administrators Helpdesk Administrators (Read Only) Local Administrators Local Administrators (Read Only) |
| Direct Interaction | GLOBAL_ADMIN_SDK_INTERACTIVE |
Run all PowerShell commands and command line utilities, except for vdmadmin and vdmimport. Administrators must have the Administrators role on the root access group to use the vdmadmin, vdmimport, and lmvutil commands.
Note: VMware Horizon adds the
Direct Interaction privilege to new roles automatically. This privilege does not appear in the list of global privileges in
Horizon Console.
|
Administrators Administrators (Read only) |
| Forensics | FORENSICS |
Mark users as held for forensics tasks
Note: This task can currently be performed only by using the VMware Horizon Server API.
|
|
| Manage Access Groups | GLOBAL_PERMISSION_VIEW GLOBAL_ROLE_VIEW FOLDER_VIEW FOLDER_MANAGEMENT GLOBAL_ADMIN_SDK_INTERACTIVE GLOBAL_ADMIN_UI_INTERACTIVE |
Add and remove access groups and, in a Cloud Pod Architecture environment, federation access groups. | Administrators Local Administrators |
| Manage Certificates | MANAGE_CERTIFICATES | Request and import certificates | |
| Manage Global Configuration and Policies | GLOBAL_CONFIG_MANAGEMENT GLOBAL_CONFIG_VIEW GLOBAL_ADMIN_SDK_INTERACTIVE GLOBAL_ADMIN_UI_INTERACTIVE |
View and modify global policies and configuration settings except for administrator roles and permissions. | Administrators Global Configuration and Policy Administrators |
| Manage Roles and Permissions | GLOBAL_PERMISSION_MANAGEMENT GLOBAL_PERMISSION_VIEW GLOBAL_ROLE_MANAGEMENT GLOBAL_ROLE_PERMISSION_MANAGEMENT GLOBAL_ROLE_VIEW GLOBAL_ADMIN_SDK_INTERACTIVE GLOBAL_ADMIN_UI_INTERACTIVE |
Create, modify, and delete administrator roles and permissions. | Administrators |
| Register Agent | GLOBAL_MACHINE_REGISTER GLOBAL_ADMIN_SDK_INTERACTIVE GLOBAL_ADMIN_UI_INTERACTIVE |
Install Horizon Agent on unmanaged machines, such as physical systems, standalone virtual machines, and RDS hosts. During Horizon Agent installation, you must provide your administrator login credentials to register the unmanaged machine with the Connection Server instance. |
Administrators Agent Registration Administrators |
| Manage vCenter Configuration (Read only) | VC_CONFIG_VIEW GLOBAL_ADMIN_SDK_INTERACTIVE GLOBAL_ADMIN_UI_INTERACTIVE |
Read only access to the vCenter Server configuration. | Administrators Administrators (Read only) Inventory Administrators Inventory Administrators (Read only) Local Administrators Local Administrators (Read Only) |
