With role-based access control, you can create a role to manage one action or many actions.

When you create a role, you can add one or more services to the role. You name the role, select the type of services and the specific actions within the service that the role can manage.

  • When you create a role with the Directory Management service, the Identity and Access Management service must also be configured in the role.
  • When you create a role with the Roles Administration service, the User and Groups service must also be configured with the actions to manager users and to manage groups selected.


To create a role, you must be a super admin or an admin assigned the role that is configured with the Roles Administration service.


  1. In the VMware Identity Manager console Roles tab, click Add.
  2. In the Role Name text box, enter a descriptive role name and add a description.
    Each role name in your environment must be unique.
  3. Click Next.
  4. Select the service to be managed by this role.
  5. In the Actions drop-down menu, select the type of actions that can be managed.
  6. Select All resources to manage all resources within the action, or select Some and then select the condition that can be managed from the Conditions drop-down menu.
  7. To add additional actions to be managed by this role, click + and complete the configuration action.
  8. Click Save.
    The Services page displays the configuration you set up.
  9. If you want to add another service to this role, select the service and complete the configuration steps 5–8.
  10. When finished, click Save on the Configuration page.

What to do next

Assign this role to users to make them administrators of this service.