As an organization owner, you must configure users so that your Tanzu Hub users can see and manage the applications assigned to them. You can configure projects if you want selected users to have different permissions for resources associated with one project but not the same permissions in another project.

Tanzu Hub uses role-based access. There are three types of roles:

  • Organization roles
  • Service roles
  • Project roles

All users must have at least an Organization Member role to access the service console and at least an Tanzu Hub Viewer role to open and view the service UI.

Additional roles and permissions are explained in the following sections.

Organization roles

Organization roles provide access to the service console. The roles have particular permissions. This section provides an overview of the four key roles. For more information about the how the roles affect general organization permissions, see VMware Cloud Services organization roles.

Table 1. Organization Role Description
Role Permissions
Organization owner Users can open the console, assign organization roles to all users, and assign service roles to all organization roles, including to themselves.
Organization administrator Users can open the console and assign service roles to organization members.
Organization member Users can open the console. To open a service, they must have a service role assigned by a owner or administrator.

Service roles

The service roles determine what you can see and do in Tanzu Hub. Some of the services that are presented in the Tanzu Hub UI require additional service roles. These roles are defined in the console by an organization owner or administrator.

You must give users at least a viewer role to open Tanzu Hub.

Table 2. Tanzu Hub Service Roles
Role Description
Tanzu Hub Admin User can fully manage the resources, making changes where needed.
Tanzu Hub Viewer User can see resources but cannot make changes.
Tanzu Hub Admin Bundle User has the Tanzu Hub admin role and read-only roles for other Tanzu and Aria services unless another role is specifically granted for the service.
Tanzu Hub Viewer Bundle User has the Tanzu Hub viewer role and read-only roles for other Tanzu and Aria services unless another role is specifically granted for the service.

To work with ,

To work with the Tanzu Insights service, you must give the users one of the following roles in addition to at least a Hub Viewer role.

Table 3. VMware Tanzu Insights service roles
Role Description
Insights Admin User can view and manage all insights, including resolving insights.
Insights Viewer User can view all insights. They cannot make any changes.

To work with VMware Tanzu Guardrails governance, which is based on two services, you must give the users one or more of the following roles depending on what permissions you want them to have. You must also give the users at least a Hub Viewer role.

Table 4. VMware Tanzu Guardrails and VMware Aria Automation for Secure Clouds service roles
Role Description
Guardrails Admin

User can create policy templates for the configuration of cloud resources and run actions on them.

To add or update data source accounts, users with this role must also have the Tanzu Hub Admin role.

Guardrails Viewer User can view policy templates and desired states, and view the run history of the desired states.
VMware Aria Automation for Secure Clouds > Secure State Admin

User can create and modify security posture policies and compliance frameworks.

To add or update data source accounts, users with this role must also have the Tanzu Hub Admin role.

VMware Aria Automation for Secure Clouds > Secure State Analyst User can perform more limited create and edit tasks than an administrator.
VMware Aria Automation for Secure Clouds > Secure State Viewer User can view security posture policies and compliance frameworks but cannot make any changes.

To work with the VMware Tanzu Transformer service, you must give the users one of the following roles in addition to at least a Hub Viewer role.

Table 5. VMware Tanzu Transformer service roles
Role Description
Aria Migration Read Only User can view all assessments and assumptions. They cannot make any changes.
Aria Migration Admin

User can edit assessments, scope, and assumption.

To add or update data source accounts, the user must have the Tanzu Hub Admin role.

How service roles interact with project roles

A project is a collection of resources to which you can assign users with different roles. For example, you might assign a user a Viewer role in the service, but you can assign them a project administrator role if you want to allow them to fully manage the resources in one project.

Review the following ways that service roles interact with project roles. The Hub role is used as an example. The behavior applies to all service roles and how they interact with projects.

  • A user with the Hub Admin service role can perform all actions anywhere in Tanzu Hub.
  • A user with the service Hub Viewer role can see everything in Tanzu Hub, but they can't make any changes.
  • When resources are assigned to projects, a user who has the Hub Viewer role and the Hub Viewer project role can see only the resources in the projects that they are members of.
  • If a user has the Hub Viewer service role and the Hub Admin project role can see everything in Tanzu Hub. However, they can only make changes to the resources in their projects. The project Admin role takes precedence over of the service Viewer role for the project.
  • If a user has the Hub Admin service role and a Hub Viewer project role, they can make changes to the resources in that project and to the resources in any project. The service Admin role takes precedence over project Viewer role.