vCenter Server provides a sample role that allows you to give users or groups privileges to manage content libraries.

Content Library Administrator Role

vCenter Server provides a sample role that allows you to give users or groups privileges to manage content libraries.

Content Library Administrator role is a predefined role that gives a user privileges to monitor and manage a library and its contents.

You can modify the role or use it as an example to create custom roles for specific tasks you want to allow other users to perform.

If a user has this role on a library, that user can perform the following tasks on that library.
  • Create, edit, and delete local or subscribed libraries.
  • Create and delete subscriptions to a local library with publishing enabled.
  • Publish a library or a library item to a subscription.
  • Synchronize a subscribed library and synchronize items in a subscribed library.
  • View the item types supported by the library.
  • Configure the global settings for the library.
  • Import items to a library.
  • Export library items.

Content Library Permissions Hierarchy and Inheritance

vSphere objects inherit permissions from a parent object in the hierarchy. Content libraries work in the context of a single vCenter Server instance. However, content libraries are not direct children of a vCenter Server system from an inventory perspective.

The direct parent for content libraries is the global root. This means that if you set a permission at a vCenter Server level and propagate it to the children objects, the permission applies to data centers, folders, clusters, hosts, virtual machines, and so on, but does not apply to the content libraries that you see and operate with in this vCenter Server instance. To assign a permission on a content library, an Administrator must grant the permission to the user as a global permission. Global permissions support assigning privileges across solutions from a global root object.

The figure illustrates the inventory hierarchy and the paths by which permissions can propagate.

Figure 1. vSphere Inventory Hierarchy
The inheritance of permissions in the vSphere inventory hierarchy is represented

To let a user manage a content library and its items, an Administrator can assign the Content Library Administrator role to that user as a global permission. The Content Library Administrator role is a sample role in the vSphere Client.

Users who are Administrators can also manage libraries and their contents. If a user is an Administrator at a vCenter Server level, they have sufficient privileges to manage the libraries that belong to this vCenter Server instance, but cannot see the libraries unless they have a Read-Only role as a global permission.

For example, a user has an Administrator role that is defined at a vCenter Server level. When the Administrator navigates to Content Libraries in the object navigator, he sees 0 libraries despite there are existing libraries in the vSphere inventory of that vCenter Server instance. To see the libraries, the Administrator needs a Read-Only role assigned as a global permission.

Administrators whose role is defined as a global permission can see and manage the libraries in all vCenter Server instances that belong to the global root.

Because content libraries and their children items inherit permissions only from the global root object, when you navigate to a library or a library item and click Configure tab, you can see there is no Permissions tab. An Administrator cannot assign individual permissions on different libraries or different items within a library.