Service Roles Design for Cloud Assembly in vRealize Automation

You manage access to Cloud Assembly by assigning enterprise groups to service roles in your organization.

Cloud Assembly has three service roles assigned from identity and access management. You assign the service roles to designated enterprise groups, synchronized from your enterprise identity source through Workspace ONE Access.

Table 1. Service Role Assignments for Cloud Assembly in vRealize Automation
Service Role	Description	Enterprise Group
Cloud Assembly Administrator	Read and write access to the entire Cloud Assembly user interface and API. Configure cloud accounts, integrations, cloud zones, and Kubernetes zones. Create and manage projects, including project membership.	rainpole.io\ug-vra-cloud-assembly-admins
Cloud Assembly User	Limited access to the Cloud Assembly user interface and API. Access based on the project membership - project administrator or project members	rainpole.io\ug-vra-cloud-assembly-users
Cloud Assembly Viewer	Read-only access to the Cloud Assembly user interface and API. Restricted from create, update, or delete operations.	rainpole.io\ug-vra-cloud-assembly-viewers

You can also define more granular custom roles and then assign users to those roles. The custom roles have two categories, view and manage:

View: A user assigned to a role with this permission can see all the items for all projects in the selected sections of the user interface.
Manage: A user assigned to a role with this permission can see all the items and has full add, edit, and delete permissions for all projects in the selected sections of the user interface.

These permissions extend the privileges that are granted by the other roles and are not restricted by project membership.

For information about the service role design decisions for the vRealize Automation Cloud Assembly service, see Identity Management Design for vRealize Automation.