As an administrator, you can create a custom role that you can use in access policies in VMware Tanzu Mission Control.

Tanzu Mission Control provides a set of standard roles that you can use to establish a baseline security posture for your organization. To suit the needs of your organization, you can also create custom roles that have a more specific focus. For example, say your organization has a small group that manages the data protection aspects of all your clusters. In such a case, you can create a custom role that contains all of the necessary permissions for this set of tasks without adding other administrative permissions that the members of this group don't need.


Make sure you have the appropriate permissions.
  • To create a custom role, you must be associated with the orginization.admin role for the organization.

Log in to the Tanzu Mission Control console, and then go to the Administration page.


  1. On the Administration page in the Tanzu Mission Control console, click the Roles tab.
  2. Click Create Custom Role.
    Note: You can optionally use an existing role, either built-in or custom, as a pattern for the new role. Click the menu icon for the existing role in the table on the Roles tab, and then choose Create role from selected.
  3. Provide a name for the custom role.
  4. You can optionally provide a description so other team members understand the purpose of the custom role.
  5. Select the visibility for the custom role.
    1. Click Cluster or Workspace.
    2. Select the hierarchy levels to which the role can be applied.
  6. Select the permissions to include in the custom role.
    You can sort and filter the permissions displayed in the table to locate the individual permissions you want to add.
    • To select a permission, click its checkbox.
    • To select all permissions, click the select all checkbox at the top of the table. Be aware that the select all checkbox selects all of the available permissions, not just those that are currently displayed. If you have applied a filter, you do not see all of the permissions you have selected by clicking the select all checkbox.
  7. You can optionally add one or more Kubernetes RBAC rules for the custom role.
    1. Click the checkbox to select one or more Kubernetes permission type.
    2. Select one or more Kubernetes resource type.
    3. Specify an API group.
    4. Click Add Rule.
    5. You can optionally repeat these steps to include additional Kubernetes RBAC rules.
  8. You can optionally click Deprecate to toggle the prevention of new role bindings from using the custom role.
  9. Click Create.


When you click Create, Tanzu Mission Control creates the custom role. It is now available for creating access policies for the objects you specified for its visibility.