Each vCloud Director predefined role contains a default set of rights required to perform operations included in common workflows. With the exception of the System Administrator role, each predefined role exists in every organization in the system.

The System Administrator Role

The system administrator role exists only in the System organization. The System organization and system administrator role include all rights. System administrator credentials are established during installation and configuration. A system administrator can create additional system administrator accounts. All system administrators are members of the System organization.

You cannot modify the rights associated with the System Administrator role. A system administrator can use the vCloud Director Web Console or the vCloud API to create or update other role objects in any organization in the system.

Predefined Roles

Predefined roles and the rights they contain are available in all organizations.

Organization Administrator

After creating an organization, a system administrator can assign the role of organization administrator to any user in the organization. A user with the predefined Organization Administrator role can use the vCloud Director Web Console or the vCloud API to manage users and groups in their organization and assign them roles, including the predefined Organization Administrator role. An organization administrator can use the vCloud API to create or update role objects that are local to the organization. Roles created or modified by an organization administrator are not visible to other organizations.

Catalog Author

The rights associated with the predefined Catalog Author role allow a user to create and publish catalogs.

vApp Author

The rights associated with the predefined vApp Author role allow a user to use catalogs and create vApps.

vApp User

The rights associated with the predefined vApp User role allow a user to use existing vApps.

Console Access Only

The rights associated with the predefined Console Access Only role allow a user to view virtual machine state and properties and to use the guest OS.

Defer to Identity Provider

Rights associated with the predefined Defer to Identity Provider role are determined based on information received from the user's OAuth or SAML Identity Provider. To qualify for inclusion when a user or group is assigned the Defer to Identity Provider role, a role or group name supplied by the Identity Provider must be an exact, case-sensitive match for a role or group name defined in your organization.

  • If the user is defined by an OAuth Identity Provider, the user will be assigned the roles named in the roles array of the user's OAuth token.

  • If the user is defined by a SAML Identity Provider, the user will be assigned the roles named in the SAML attribute whose name appears in the RoleAttributeName element in the organization's OrgFederationSettings.

If a user is assigned the Defer to Identity Provider role but no matching role or group name is available in your organization, the user can log in to the organization but has no rights. If an Identity Provider associates a user with a system-level role such as System Administrator, the user can log in to the organization but has no rights. You must manually assign a role to such users.

With the exception of the Defer to Identity Provider role, each predefined role includes a set of default rights. Only a system administrator can modify the rights in a predefined role. If a system administrator modifies a predefined role, the modifications propagate to all instances of the role in the system.

Rights in Predefined Roles

A system administrator can use the vCloud Director Web Console to view the list of rights included in a role.

  1. Click the Administration tab.

  2. Click Roles in the left pane.

  3. Right-click a role and select Properties.

An organization administrator can use the vCloud API to view the rights in a role or create new roles local to the organization.

Rights Included in Multiple Predefined Roles

A number of rights are common to many predefined roles. These rights are granted by default to all new organizations, and are available for use in other roles created by the organization administrator.

Table 1. Rights Included in Multiple Predefined Roles

Right Name

Description

Organization Administrator

Catalog Author

vApp Author

vApp User

Console Access Only

Catalog: Add vApp from My Cloud

Permission to add a vApp from My Cloud to a catalog in my organization.

X

X

X

Catalog: CLSP Publish Subscribe

Permission to publish catalogs for external consumption and to subscribe to external catalog feeds. Organization must be configured to allow publishing externally, subscribing to external catalogs, or both.

X

X

Catalog: Create / Delete a Catalog

Permission to create and delete catalogs.

X

X

Catalog: Edit Properties

Permission to edit catalog properties.

X

X

Catalog: Publish

Permission to share catalogs with users and groups in other organizations. Organization must be configured to allow sharing catalogs with other organizations.

X

X

Catalog: Sharing

Permission to share catalogs to users and groups in the same organization.

X

X

Catalog: View ACL

Permission to view the access control list of any catalog in the organization.

X

X

Catalog: View Private and Shared Catalogs

Permission to view both private and shared catalogs in the organization.

X

X

X

Disk: Create

Permission to create independent disks.

X

X

X

Disk: Delete

Permission to delete independent disks.

X

X

X

Disk: Edit Properties

Permission to edit the properties of an independent disk.

X

X

X

Disk: View Properties

Permission to view the properties of an independent disk.

X

X

X

X

Organization vDC: View

Permission to view all VDCs in the organization.

X

X

Organization vDC: VM-VM Affinity Edit

Permission to edit VM-VM affinity for VMs in all VDCs in the organization.

X

X

Organization: View

Permission to view organization contents.

X

X

X

vApp Template / Media: Copy

Permission to copy or move catalog items (vApp templates or media).

X

X

X

vApp Template / Media: Create / Upload

Permission to create or upload catalog items (vApp templates or media).

X

X

vApp Template / Media: Edit

Permission to modify catalog items (vApp templates or media).

X

X

vApp Template / Media: View

Permission to view catalog items (vApp templates or media).

X

X

X

X

vApp Template: Checkout

Permission to use a vApp template to create a vApp in My Cloud.

X

X

X

X

vApp Template: Download

Permission to download a vApp template as an OVF package.

X

X

vApp: Change Owner

Permission to change the owner of a vApp.

X

X

vApp: Copy

Permission to make a copy of a vApp.

X

X

X

X

vApp: Create / Reconfigure

Permission to create and reconfigure vApps.

X

X

X

vApp: Delete

Permission to delete a vApp.

X

X

X

X

vApp: Download

Permission to download a vApp as an OVF package.

X

X

X

vApp: Edit Properties

Permission to edit vApp general properties.

X

X

X

X

vApp: Edit VM CPU

Permission to edit vApp CPU properties.

X

X

X

vApp: Edit VM Hard Disk

Permission to edit vApp hard disk properties.

X

X

X

vApp: Edit VM Memory

Permission to edit vApp memory properties.

X

X

X

X

vApp: Edit VM Network

Permission to edit vApp network properties.

X

X

X

X

vApp: Edit VM Properties

Permission to edit VM general properties.

X

X

X

X

vApp: Manage VM Password Settings

Permission to modify VM passwords.

X

X

X

X

X

vApp: Power Operations

Permission to change VM power state.

X

X

X

X

vApp: Sharing

Permission to share a vApp with other members of the organization.

X

X

X

X

vApp: Snapshot Operations

Permission to create, delete, and revert to a vApp snapshot.

X

X

X

X

vApp: Upload

Permission to upload an OVF package as a vApp.

X

X

X

vApp: Use Console

Permission to open a console connection to a VM in a vApp.

X

X

X

X

X

vApp: View ACL

Permission to view the access control list of a vApp.

X

X

vApp: View VM metrics

Permission to view current metrics of VMs in a vApp.

X

X

X

vApp: VM Boot Options

Permission to edit vApp boot options such as boot delay and recustomization.

X

X

X

vApp: Allow metadata mapping domain to vCenter

Permission to create or update vApp object metadata in the VCENTER domain

X

X

X

VCD Extension: View Tenant Portal Plugin Information

Permission to view plug-ins available for the vCloud Director Tenant Portal

X

X

X

X

Additional Rights Included in the Predefined Organization Administrator Role

The following additional rights are included in the predefined organization administrator role. They are not included in any other predefined role except system administrator. These rights are granted by default to all new organizations, and are available for use in other roles created by the organization administrator.

Table 2. Additional Rights Included in the Predefined Organization Administrator Role

Right Name

Description

Access All Organization VDCs

Permission to view and modify all VDCs in the organization.

Catalog: Change Owner

Permission to change to owner of any catalog in the organization

Catalog: View Published Catalogs

Permission to view catalogs shared from other organizations.

Disk: Change Owner

Permission to change the owner of an independent disk.

General: Administrator Control

Permission to modify objects in the organization.

General: Administrator View

Permission to view objects in the organization.

General: Send Notification

Permission to configure notifications sent to members of the organization. See Configure System Notification Settings.

Group / User: View

Permission to view local users and groups.

Hybrid Cloud Operations: Acquire control ticket

This right is required by certain vCloud Director hybrid extensions.

Hybrid Cloud Operations: Acquire from-the-cloud tunnel ticket

This right is required by certain vCloud Director hybrid extensions.

Hybrid Cloud Operations: Acquire to-the-cloud tunnel ticket

This right is required by certain vCloud Director hybrid extensions.

Hybrid Cloud Operations: Create from-the-cloud tunnel

This right is required by certain vCloud Director hybrid extensions.

Hybrid Cloud Operations: Create to-the-cloud tunnel

This right is required by certain vCloud Director hybrid extensions.

Hybrid Cloud Operations: Delete from-the-cloud tunnel

This right is required by certain vCloud Director hybrid extensions.

Hybrid Cloud Operations: Delete to-the-cloud tunnel

This right is required by certain vCloud Director hybrid extensions.

Hybrid Cloud Operations: Update from-the-cloud tunnel endpoint tag

This right is required by certain vCloud Director hybrid extensions.

Hybrid Cloud Operations: View from-the-cloud tunnel

This right is required by certain vCloud Director hybrid extensions.

Hybrid Cloud Operations: View to-the-cloud tunnel

This right is required by certain vCloud Director hybrid extensions.

Organization Network: Edit Properties

Permission to modify properties of an organization VDC network.

Organization Network: View

Permission to view properties of an organization VDC network.

Organization vDC Distributed Firewall: Configure Rules

Advanced networking right. See "Manage Distributed Firewall Rules Using the Tenant Portal" in the vCloud Director Tenant Portal Guide.

Organization vDC Distributed Firewall: View Rules

Advanced networking right. See "Manage Distributed Firewall Rules Using the Tenant Portal" in the vCloud Director Tenant Portal Guide.

Organization vDC Gateway: Configure DHCP

Advanced networking right. See "Managing Edge Gateway DHCP Using the Tenant Portal" in the vCloud Director Tenant Portal Guide.

Organization vDC Gateway: Configure Firewall

Advanced networking right. See "Firewall Configuration Using the Tenant Portal" in the vCloud Director Tenant Portal Guide.

Organization vDC Gateway: Configure Load Balancer

Advanced networking right. See "About Load Balancingl" in the vCloud Director Tenant Portal Guide.

Organization vDC Gateway: Configure NAT

Advanced networking right. See "Managing Network Address Translation Using the Tenant Portal" in the vCloud Director Tenant Portal Guide.

Organization vDC Gateway: Configure IPsec VPN

Advanced networking right. See "Configure IPsec VPN Using the Tenant Portal" in the vCloud Director Tenant Portal Guide.

Organization vDC Gateway: Configure Static Routing

Advanced networking right. See "Advanced Routing Configuration Using the vCloud Director Tenant Portal" in the vCloud Director Tenant Portal Guide.

Organization vDC Gateway: Configure Syslog

Advanced networking right. See "Statistics and Logs in the vCloud Director Tenant Portal" in the vCloud Director Tenant Portal Guide.

Organization vDC Gateway: Convert to Advanced Networking

Permission to convert an Edge Gateway to Advanced Networking.

Organization vDC Gateway: View

Advanced networking right. See "Introducing Advanced Networking Capabilities for vCloud Director Tenants" in the vCloud Director Tenant Portal Guide.

Organization vDC Network: Edit Properties

Permission to modify the properties of an organization VDC network. See Configuring Organization Virtual Datacenter Network Services.

Organization vDC Network: View Properties

Permission to view the properties of an organization VDC network. See Configuring Organization Virtual Datacenter Network Services.

Organization vDC Storage Profile: Set Default

Permission to change the default storage profile for an organization VDC. See Add a Storage Policy to a Provider Virtual Datacenter.

Organization vDC: Edit

Permission to change the configuration of an organization VDC.

Organization vDC: Edit ACL

Permission to create or update VDC access controls. (API only.)

Organization vDC: Manage Firewall

Permission to manage firewall rules on an Edge Gateway that is not an advanced gateway.

Organization vDC: View ACL

Permission to view VDC access controls. (API only.)

Organization: Edit Association Settings

Permission to create or modify an association with another organization. See Configuring and Managing Multisite Deployments.

Organization: Edit Federation Settings

Permission to modify organization federation (IDP) settings.

Organization: Edit Leases Policy

Permission to modify default storage and runtime leases for vApps. See Modify Organization Lease, Quota, and Limit Settings.

Organization: Edit OAuth Settings

Permission to create or modify organization OAUTH IDP settings.

Organization: Edit Password Policy

Permission to create or modify organization password policies.

Organization: Edit Properties

Permission to modify organization properties. See Editing Organization Properties.

Organization: Edit Quotas Policy

Permission to modify organization quotas for VMs. See Modify Organization Lease, Quota, and Limit Settings.

Organization: Edit SMTP Settings

Permission to modify organization SMTP (e-mail) policies. See Configure SMTP Settings.

Organization: Import User/Group from IdP while Editing VDC ACL

Unused by vCloud Director

Role: Create, Edit, Delete, or Copy

Permission to create or modify roles in your organization. Permission to change the default storage profile for an organization VDC. See Create, Update, or Delete a Role.

VDC Template: Instantiate

Permission to create an organization VDC from a template. See Instantiate an Organization Virtual Data Center Template.

VDC Template: View

Permission to view an organization VDC template. See Instantiate an Organization Virtual Data Center Template.