Each vCloud Director predefined role contains a default set of rights required to perform operations included in common workflows. With the exception of the System Administrator role, each predefined role exists in every organization in the system.
The System Administrator Role
The system administrator role exists only in the System organization. The System organization and system administrator role include all rights. System administrator credentials are established during installation and configuration. A system administrator can create additional system administrator accounts. All system administrators are members of the System organization.
You cannot modify the rights associated with the System Administrator role. A system administrator can use the vCloud Director Web Console or the vCloud API to create or update other role objects in any organization in the system.
Predefined Roles
Predefined roles and the rights they contain are available in all organizations.
- Organization Administrator
- After creating an organization, a system administrator can assign the role of organization administrator to any user in the organization. A user with the predefined Organization Administrator role can use the vCloud Director Web Console or the vCloud API to manage users and groups in their organization and assign them roles, including the predefined Organization Administrator role. An organization administrator can use the vCloud API to create or update role objects that are local to the organization. Roles created or modified by an organization administrator are not visible to other organizations.
- Catalog Author
- The rights associated with the predefined Catalog Author role allow a user to create and publish catalogs.
- vApp Author
- The rights associated with the predefined vApp Author role allow a user to use catalogs and create vApps.
- vApp User
- The rights associated with the predefined vApp User role allow a user to use existing vApps.
- Console Access Only
- The rights associated with the predefined Console Access Only role allow a user to view virtual machine state and properties and to use the guest OS.
- Defer to Identity Provider
-
Rights associated with the predefined Defer to Identity Provider role are determined based on information received from the user's OAuth or SAML Identity Provider. To qualify for inclusion when a user or group is assigned the Defer to Identity Provider role, a role or group name supplied by the Identity Provider must be an exact, case-sensitive match for a role or group name defined in your organization.
- If the user is defined by an OAuth Identity Provider, the user will be assigned the roles named in the roles array of the user's OAuth token.
- If the user is defined by a SAML Identity Provider, the user will be assigned the roles named in the SAML attribute whose name appears in the RoleAttributeName element in the organization's OrgFederationSettings.
With the exception of the Defer to Identity Provider role, each predefined role includes a set of default rights. Only a system administrator can modify the rights in a predefined role. If a system administrator modifies a predefined role, the modifications propagate to all instances of the role in the system.
Rights in Predefined Roles
A system administrator can use the
vCloud Director Web Console to view the list of rights included in a role.
- Click the Administration tab.
- Click Roles in the left pane.
- Right-click a role and select Properties.
Rights Included in Multiple Predefined Roles
A number of rights are common to many predefined roles. These rights are granted by default to all new organizations, and are available for use in other roles created by the organization administrator.
| Right Name | Description | Organization Administrator | Catalog Author | vApp Author | vApp User | Console Access Only |
|---|---|---|---|---|---|---|
| Catalog: Add vApp from My Cloud | Permission to add a vApp from My Cloud to a catalog in my organization. | X | X | X | ||
| Catalog: CLSP Publish Subscribe | Permission to publish catalogs for external consumption and to subscribe to external catalog feeds. Organization must be configured to allow publishing externally, subscribing to external catalogs, or both. | X | X | |||
| Catalog: Create / Delete a Catalog | Permission to create and delete catalogs. | X | X | |||
| Catalog: Edit Properties | Permission to edit catalog properties. | X | X | |||
| Catalog: Publish | Permission to share catalogs with users and groups in other organizations. Organization must be configured to allow sharing catalogs with other organizations. | X | X | |||
| Catalog: Sharing | Permission to share catalogs to users and groups in the same organization. | X | X | |||
| Catalog: View ACL | Permission to view the access control list of any catalog in the organization. | X | X | |||
| Catalog: View Private and Shared Catalogs | Permission to view both private and shared catalogs in the organization. | X | X | X | ||
| Disk: Create | Permission to create independent disks. | X | X | X | ||
| Disk: Delete | Permission to delete independent disks. | X | X | X | ||
| Disk: Edit Properties | Permission to edit the properties of an independent disk. | X | X | X | ||
| Disk: View Properties | Permission to view the properties of an independent disk. | X | X | X | X | |
| Organization vDC: View | Permission to view all VDCs in the organization. | X | X | |||
| Organization vDC: VM-VM Affinity Edit | Permission to edit VM-VM affinity for VMs in all VDCs in the organization. | X | X | |||
| Organization: View | Permission to view organization contents. | X | X | X | ||
| vApp Template / Media: Copy | Permission to copy or move catalog items (vApp templates or media). | X | X | X | ||
| vApp Template / Media: Create / Upload | Permission to create or upload catalog items (vApp templates or media). | X | X | |||
| vApp Template / Media: Edit | Permission to modify catalog items (vApp templates or media). | X | X | |||
| vApp Template / Media: View | Permission to view catalog items (vApp templates or media). | X | X | X | X | |
| vApp Template: Checkout | Permission to use a vApp template to create a vApp in My Cloud. | X | X | X | X | |
| vApp Template: Download | Permission to download a vApp template as an OVF package. | X | X | |||
| vApp: Change Owner | Permission to change the owner of a vApp. | X | X | |||
| vApp: Copy | Permission to make a copy of a vApp. | X | X | X | X | |
| vApp: Create / Reconfigure | Permission to create and reconfigure vApps. | X | X | X | ||
| vApp: Delete | Permission to delete a vApp. | X | X | X | X | |
| vApp: Download | Permission to download a vApp as an OVF package. | X | X | X | ||
| vApp: Edit Properties | Permission to edit vApp general properties. | X | X | X | X | |
| vApp: Edit VM CPU | Permission to edit vApp CPU properties. | X | X | X | ||
| vApp: Edit VM Hard Disk | Permission to edit vApp hard disk properties. | X | X | X | ||
| vApp: Edit VM Memory | Permission to edit vApp memory properties. | X | X | X | X | |
| vApp: Edit VM Network | Permission to edit vApp network properties. | X | X | X | X | |
| vApp: Edit VM Properties | Permission to edit VM general properties. | X | X | X | X | |
| vApp: Manage VM Password Settings | Permission to modify VM passwords. | X | X | X | X | X |
| vApp: Power Operations | Permission to change VM power state. | X | X | X | X | |
| vApp: Sharing | Permission to share a vApp with other members of the organization. | X | X | X | X | |
| vApp: Snapshot Operations | Permission to create, delete, and revert to a vApp snapshot. | X | X | X | X | |
| vApp: Upload | Permission to upload an OVF package as a vApp. | X | X | X | ||
| vApp: Use Console | Permission to open a console connection to a VM in a vApp. | X | X | X | X | X |
| vApp: View ACL | Permission to view the access control list of a vApp. | X | X | |||
| vApp: View VM metrics | Permission to view current metrics of VMs in a vApp. | X | X | X | ||
| vApp: VM Boot Options | Permission to edit vApp boot options such as boot delay and recustomization. | X | X | X | ||
| vApp: Allow metadata mapping domain to vCenter | Permission to create or update vApp object metadata in the VCENTER domain | X | X | X | ||
| VCD Extension: View Tenant Portal Plugin Information | Permission to view plug-ins available for the vCloud Director Tenant Portal | X | X | X | X |
Additional Rights Included in the Predefined Organization Administrator Role
The following additional rights are included in the predefined organization administrator role. They are not included in any other predefined role except system administrator. These rights are granted by default to all new organizations, and are available for use in other roles created by the organization administrator.
| Right Name | Description |
|---|---|
| Access All Organization VDCs | Permission to view and modify all VDCs in the organization. |
| Catalog: Change Owner | Permission to change to owner of any catalog in the organization |
| Catalog: View Published Catalogs | Permission to view catalogs shared from other organizations. |
| Custom entity: View all custom entity instances in an org | See the vCloud Director Service Provider Portal Guide. |
| Custom entity: View custom entity instance | See the vCloud Director Service Provider Portal Guide |
| Disk: Change Owner | Permission to change the owner of an independent disk. |
| General: Administrator Control | Permission to modify objects in the organization. |
| General: Administrator View | Permission to view objects in the organization. |
| General: Send Notification | Permission to configure notifications sent to members of the organization. See Configure System Notification Settings. |
| Group / User: View | Permission to view local users and groups. |
| Hybrid Cloud Operations: Acquire control ticket | This right is required by certain vCloud Director hybrid extensions. |
| Hybrid Cloud Operations: Acquire from-the-cloud tunnel ticket | This right is required by certain vCloud Director hybrid extensions. |
| Hybrid Cloud Operations: Acquire to-the-cloud tunnel ticket | This right is required by certain vCloud Director hybrid extensions. |
| Hybrid Cloud Operations: Create from-the-cloud tunnel | This right is required by certain vCloud Director hybrid extensions. |
| Hybrid Cloud Operations: Create to-the-cloud tunnel | This right is required by certain vCloud Director hybrid extensions. |
| Hybrid Cloud Operations: Delete from-the-cloud tunnel | This right is required by certain vCloud Director hybrid extensions. |
| Hybrid Cloud Operations: Delete to-the-cloud tunnel | This right is required by certain vCloud Director hybrid extensions. |
| Hybrid Cloud Operations: Update from-the-cloud tunnel endpoint tag | This right is required by certain vCloud Director hybrid extensions. |
| Hybrid Cloud Operations: View from-the-cloud tunnel | This right is required by certain vCloud Director hybrid extensions. |
| Hybrid Cloud Operations: View to-the-cloud tunnel | This right is required by certain vCloud Director hybrid extensions. |
| Organization Network: Edit Properties | Permission to modify properties of an organization VDC network. |
| Organization Network: View | Permission to view properties of an organization VDC network. |
| Organization vDC Distributed Firewall: Configure Rules | Advanced networking right. See "Manage Distributed Firewall Rules Using the Tenant Portal" in the vCloud Director Tenant Portal Guide. |
| Organization vDC Distributed Firewall: View Rules | Advanced networking right. See "Manage Distributed Firewall Rules Using the Tenant Portal" in the vCloud Director Tenant Portal Guide. |
| Organization vDC Gateway: Configure DHCP | Advanced networking right. See "Managing Edge Gateway DHCP Using the Tenant Portal" in the vCloud Director Tenant Portal Guide. |
| Organization vDC Gateway: Configure Firewall | Advanced networking right. See "Firewall Configuration Using the Tenant Portal" in the vCloud Director Tenant Portal Guide. |
| Organization vDC Gateway: Configure Load Balancer | Advanced networking right. See "About Load Balancingl" in the vCloud Director Tenant Portal Guide. |
| Organization vDC Gateway: Configure NAT | Advanced networking right. See "Managing Network Address Translation Using the Tenant Portal" in the vCloud Director Tenant Portal Guide. |
| Organization vDC Gateway: Configure IPsec VPN | Advanced networking right. See "Configure IPsec VPN Using the Tenant Portal" in the vCloud Director Tenant Portal Guide. |
| Organization vDC Gateway: Configure Static Routing | Advanced networking right. See "Advanced Routing Configuration Using the vCloud Director Tenant Portal" in the vCloud Director Tenant Portal Guide. |
| Organization vDC Gateway: Configure Syslog | Advanced networking right. See "Statistics and Logs in the vCloud Director Tenant Portal" in the vCloud Director Tenant Portal Guide. |
| Organization vDC Gateway: Convert to Advanced Networking | Permission to convert an Edge Gateway to Advanced Networking. |
| Organization vDC Gateway: View | Advanced networking right. See "Introducing Advanced Networking Capabilities for vCloud Director Tenants" in the vCloud Director Tenant Portal Guide. |
| Organization vDC Network: Edit Properties | Permission to modify the properties of an organization VDC network. See Configuring Organization Virtual Datacenter Network Services. |
| Organization vDC Network: View Properties | Permission to view the properties of an organization VDC network. See Configuring Organization Virtual Datacenter Network Services. |
| Organization vDC Storage Profile: Set Default | Permission to change the default storage profile for an organization VDC. See Add a VM Storage Policy to a Provider Virtual Data Center. |
| Organization vDC: Edit | Permission to change the configuration of an organization VDC. |
| Organization vDC: Edit ACL | Permission to create or update VDC access controls. (API only.) |
| Organization vDC: Manage Firewall | Permission to manage firewall rules on an Edge Gateway that is not an advanced gateway. |
| Organization vDC: View ACL | Permission to view VDC access controls. (API only.) |
| Organization: Edit Association Settings | Permission to create or modify an association with another organization. See Configuring and Managing Multisite Deployments. |
| Organization: Edit Federation Settings | Permission to modify organization federation (IDP) settings. |
| Organization: Edit Leases Policy | Permission to modify default storage and runtime leases for vApps. See Modify Organization Lease, Quota, and Limit Settings. |
| Organization: Edit OAuth Settings | Permission to create or modify organization OAUTH IDP settings. |
| Organization: Edit Password Policy | Permission to create or modify organization password policies. |
| Organization: Edit Properties | Permission to modify organization properties. See Editing Organization Properties. |
| Organization: Edit Quotas Policy | Permission to modify organization quotas for VMs. See Modify Organization Lease, Quota, and Limit Settings. |
| Organization: Edit SMTP Settings | Permission to modify organization SMTP (e-mail) policies. See Configure SMTP Settings. |
| Organization: Import User/Group from IdP while Editing VDC ACL | Unused by vCloud Director |
| Role: Create, Edit, Delete, or Copy | Permission to create or modify roles in your organization. Permission to change the default storage profile for an organization VDC. See Create, Update, or Delete a Role. |
| Service Library: View service libraries | See the vCloud Director Service Provider Portal Guide. |
| VDC Template: Instantiate | Permission to create an organization VDC from a template. See Instantiate an Organization Virtual Data Center Template. |
| VDC Template: View | Permission to view an organization VDC template. See Instantiate an Organization Virtual Data Center Template. |