Roles

VMware Cloud Director uses roles and their associated rights to determine whether a user or group is authorized to perform an operation. Most of the procedures documented in the VMware Cloud Director guides include a prerequisite role. These prerequisites assume that the named role is the unmodified predefined role or a role that includes an equivalent set of rights.

System administrators can use rights bundles and global tenant roles to manage the rights and roles that are available to each organization.

Predefined Provider Roles:

• System Administrator: The System Administrator role exists only in the provider organization. This role includes all rights in the system. A System Administrator can create additional system administrator and user accounts in the provider organization.

• Multisite System: Used for running the heartbeat process for multisite deployments. This role has only a single right, Multisite: System Operations, which gives the permission to make a VMware Cloud Director OpenAPI request that retrieves the status of the remote member of a site association.

Predefined Global Tenant Roles:

• Organization Administrator: After creating an organization, a System Administrator can assign the role of Organization Administrator to any user in the organization. A user with the predefined Organization Administrator role can manage users and groups in their organization and assign them roles, including the predefined Organization Administrator role. Roles created or modified by an Organization Administrator are not visible to other organizations.

• Catalog Author: The predefined Catalog Author role allows a user to create and publish catalogs.

• vApp Author: The predefined vApp Author role allows a user to use catalogs and create vApps.

• vApp User: The predefined vApp User role allows a user to use existing vApps.

• Console Access Only: The predefined Console Access Only role allows a user to view VM state and properties and to use the guest OS.

• Defer to Identity Provider: The rights associated with the predefined Defer to Identity Provider role are determined based on the information received from the user's OAuth or SAML Identity Provider. When a user or group is assigned the Defer to Identity Provider role, the user or group name provided by the Identity Provider must exactly match the role or group name defined in your organization. Otherwise, the user or group is not qualified for inclusion.

  • If an OAuth Identity Provider defines a user, the user is assigned the roles named in the roles array of the user's OAuth token.

  • If a SAML Identity Provider defines a user, the user is assigned the roles named in the SAML attribute. The SAML attribute name appears in the RoleAttributeName element, which is in the SamlAttributeMapping element in the organization's OrgFederationSettings.

Authentication

You can integrate VMware Cloud Director with an external identity provider and import users and groups to your organizations. You can configure an LDAP server connection at a system or organization level. You can configure a SAML integration at an organization level.

You can configure an organization to use the system LDAP connection as a shared source of users and groups, or an organization can use a separate LDAP connection as a private source of users and groups.

If you want to import users and groups from a SAML identity provider to your system organization, you must configure your system organization with this SAML identity provider. Imported users can log in to the system organization with the credentials established in the SAML identity provider.

To configure VMware Cloud Director with a SAML identity provider, you establish a mutual trust by exchanging SAML service provider and identity provider metadata.