Namespaces privileges control who can create and manage VMware vSphere® with VMware Tanzu™ namespaces.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited.

Table 1. Namespaces Privileges
Privilege Name Description Required On
Namespaces.Allows disk decommission operations Allows for decommissioning operations of data stores.

Data stores

Namespaces.Backup Workloads component files Allows for backing up the contents of the etcd cluster (used only in VMware Cloud on AWS).


Namespaces.Modify cluster-wide configuration

Allows modifying the cluster-wide configuration, and enabling and disabling cluster namespaces.


Namespaces.Modify cluster-wide namespace self-service configuration Allows modifying the namespace self-service configuration.


(for activating and deactivating)


(for modifying the configuration)

vCenter Server

(for creating a template)
Namespaces.Modify namespace configuration

Allows modifying namespace configuration options such as resource allocation and user permissions.


Namespaces.Toggle cluster capabilities Allows manipulating the state of cluster capabilities (used internally only for VMware Cloud on AWS).


Namespaces.Upgrade clusters to newer versions Allows initiation of the cluster upgrade.