Each vCloud Director predefined role contains a default set of rights required to perform operations included in common workflows. With the exception of the System Administrator role, each predefined role exists in every organization in the system.

Predefined Provider Roles

By default, the provider roles that local to the Provider organizations are only the System Administrator and Multisite System roles. System administrators can create additional custom provider roles.

System Administrator

The System Administrator role exists only in the Provider organization. The System Administrator role includes all rights. System administrator credentials are established during installation and configuration. A system administrator can create additional system administrator and user accounts in the Provider organization.

Multisite System

Used for running the heartbeat process for multisite deployments. This role has only a single right, Multisite: System Operations, which gives it permission to make a vCloud API request that retrieves the status of the remote member of a site association.

Predefined Global Tenant Roles

By default, the predefined global tenant roles and the rights they contain are published to all organizations. System administrators can unpublish rights and global tenant roles from individual organizations. System administrators can edit or delete predefined global tenant roles. System administrators can create and publish additional global tenant roles.

Organization Administrator

After creating an organization, a system administrator can assign the role of organization administrator to any user in the organization. A user with the predefined Organization Administrator role can use the vCloud Director Web Console, tenant portal, or vCloud API to manage users and groups in their organization and assign them roles, including the predefined Organization Administrator role. An Organization Administrator can use the vCloud API to create or update role objects that are local to the organization. Roles created or modified by an Organization Administrator are not visible to other organizations.

Catalog Author

The rights associated with the predefined Catalog Author role allow a user to create and publish catalogs.

vApp Author

The rights associated with the predefined vApp Author role allow a user to use catalogs and create vApps.

vApp User

The rights associated with the predefined vApp User role allow a user to use existing vApps.

Console Access Only

The rights associated with the predefined Console Access Only role allow a user to view virtual machine state and properties and to use the guest OS.

Defer to Identity Provider

Rights associated with the predefined Defer to Identity Provider role are determined based on information received from the user's OAuth or SAML Identity Provider. To qualify for inclusion when a user or group is assigned the Defer to Identity Provider role, a role or group name supplied by the Identity Provider must be an exact, case-sensitive match for a role or group name defined in your organization.

  • If the user is defined by an OAuth Identity Provider, the user will be assigned the roles named in the roles array of the user's OAuth token.

  • If the user is defined by a SAML Identity Provider, the user will be assigned the roles named in the SAML attribute whose name appears in the RoleAttributeName element, which is in the SamlAttributeMapping element in the organization's OrgFederationSettings.

If a user is assigned the Defer to Identity Provider role but no matching role or group name is available in your organization, the user can log in to the organization but has no rights. If an Identity Provider associates a user with a system-level role such as System Administrator, the user can log in to the organization but has no rights. You must manually assign a role to such users.

With the exception of the Defer to Identity Provider role, each predefined role includes a set of default rights. Only a System administrator can modify the rights in a predefined role. If a System administrator modifies a predefined role, the modifications propagate to all instances of the role in the system.

Rights in Predefined Global Tenant Roles

Rights Included in Multiple Predefined Roles

A number of rights are common to many predefined global roles. These rights are granted by default to all new organizations, and are available for use in other roles created by the organization administrator.

Table 1. Rights Included in Multiple Predefined Roles

Right Name

Organization Administrator

Catalog Author

vApp Author

vApp User

Console Access Only

Catalog: Share a Catalog to Other Organizations

X

X

Catalog: Share a Catalog to Users / Groups within Current Organization

X

X

Catalog: Change Owner

X

Catalog: Allow External Publishing / Subscriptions for the Catalogs

X

X

Catalog: View Private and Shared Catalogs within Current Organization

X

X

X

Catalog: Edit Catalogs Properties

X

X

Catalog: View Shared Catalogs from Other Organizations

X

Catalog: Create / Delete a Catalog

X

X

Catalog: Add a vApp from My Cloud

X

X

X

Catalog Item: Copy / Move a vApp Template / Media

X

X

Catalog Item: Add to My Cloud

X

X

Catalog Item: Create / Upload a vApp Template / Media

X

X

Catalog Item: Edit vApp Template / Media

X

X

Catalog Item: View vApp Templates / Media

X

X

Catalog Item: Enable vApp Template / Media Download

X

X

Custom Entity: View All Custom Entity Instances in Organization

X

Custom Entity: View Custom Entity Instance

X

Disk: View Disk Properties

X

X

X

X

Disk: Create a Disk

X

X

X

Disk: Change Owner

X

X

Disk: Edit Disk Properties

X

X

X

Disk: Delete a Disk

X

X

X

Distributed Firewall: View Distributed Firewall Rules

X

Distributed Firewall: Configure Distributed Firewall Rules

X

Distributed Firewall: Enable / Disable Distributed Firewall

X

Gateway: Convert to Advanced Gateway

X

Gateway: View Gateway

X

Gateway: Enable Distributed Routing

X

Gateway: Configure Syslog Server

X

Gateway: Configure Sysltem Logging

X

Gateway Services: Firewall Configure

X

Gateway Services: Firewall View Only

X

Gateway Services: NAT Configure

X

Gateway Services: NAT View Only

X

Gateway Services: Load Balancer Configure

X

Gateway Services: Load Balancer View Only

X

Gateway Services: IPSEC VPN Configure

X

Gateway Services: IPSEC VPN View Only

X

Gateway Services: DHCP Configure

X

Gateway Services: DHCP View Only

X

Gateway Services: Static Routing Configure

X

Gateway Services: Static Routing View Only

X

Gateway Services: OSPF Routing Configure

X

Gateway Services: OSPF Routing View Only

X

Gateway Services: BGP Routing Configure

X

Gateway Services: BGP Routing View Only

X

Gateway Services: Remote Access Configure

X

Gateway Services: Remote Access View Only

X

Gateway Services: SSL VPN Configure

X

Gateway Services: SSL VPN View Only

X

Gateway Services: L2 VPN Configure

X

Gateway Services: L2 VPN View only

X

General: Send Notification

X

General: Administrator Control

X

General: Administrator View

X

Hybrid Tunnel: View To-the-Cloud Tunnel

X

Hybrid Tunnel: Acquire Control Ticket

X

Hybrid Tunnel: Delete From-the-Cloud Tunnel

X

Hybrid Tunnel: Acquire From-the-Cloud Tunnel Ticket

X

Hybrid Tunnel: Acquire To-the-Cloud Tunnel Ticket

X

Hybrid Tunnel: Create To-the-Cloud Tunnel

X

Hybrid Tunnel: Create From-the-Cloud Tunnel

X

Hybrid Tunnel: Delete To-the-Cloud Tunnel

X

Hybrid Tunnel: View From-the-Cloud Tunnel

X

Hybrid Tunnel: Update From-the-Cloud Tunnel Endpoint Tag

X

Organization VDC Network: Edit Properties

X

Organization VDC Network: View Properties

X

Organization: View Organizations

X

X

X

Organization: Edit Organization OAuth Settings

X

Organization: Edit Quotas Policy

X

Organization: Edit Leases Policy

X

Organization: Edit Organization Properties

X

Organization: Allow Access to All Organization VDCs

X

Organization: View Access Control List of Organization VDCs

X

Organization: View Organization Networks

X

Organization: View Organization Network Properties

X

Organization: Edit Federation Settings

X

Organization: Implicitly Import User/Group from IdP while Editing VDC ACL

X

Organization: Edit Organization Associations

X

Organization: View Catalog ACL

X

X

Organization: Edit Password Policy

X

Organization: View vApp ACL

X

X

Organization: Edit SMTP Settings

X

Organization vDC: View Organization VDCs

X

Organization vDC: Edit VM-VM Affinity Rule

X

X

X

Organization vDC: Set Default Storage Policy

X

Organization vDC: Edit Organization VDC Name and Description

X

Organization vDC: Manage Firewall

X

Organization vDC: View Compute Policies for an Organization VDC

X

Role: Create / Update / Delete a Role

X

Service Library: View Services Making Up the Service Library

X

User: View Group / User

X

VCD Extension: View Tenant Portal Plugin Information

X

X

X

X

Organization VDC Template: View Organization VDC Templates

X

Organization VDC Template: Instantiate Organization VDC Templates

X

VM Group: View VM Group in VDC

X

VM Group: Remove VM Group from VDC

X

VM Group: Add VM Group to VDC

X

VM Monitoring: View Historic Metrics for the Organization

X

VM Monitoring: View Historic Metrics for the Organization VDC

X

vApp: Upload a vApp

X

X

X

vApp: Edit vApp Properties

X

X

X

X

vApp: Manage VM Password Settings

X

X

X

X

X

vApp: Create / Reconfigure vApp

X

X

X

vApp: Edit VM Hard Disk

X

X

X

vApp: Start / Stop / Suspend / Reset a vApp

X

X

X

X

vApp: Edit VM CPU

X

X

X

vApp: Change Owner

X

vApp: Edit VM Network

X

X

X

X

vApp: Access to VM Console

X

X

X

X

X

vApp: Share a vApp

X

X

X

X

vApp: Allow Metadata Mapping Domain to vCenter Server

X

X

X

vApp: Edit / View VM Boot Options

X

X

X

vApp: Download a vApp

X

X

X

vApp: Copy a vApp

X

X

X

X

vApp: Edit VM Memory

X

X

X

vApp: Delete a vApp

X

X

X

X

vApp: Edit VM Properties

X

X

X

X

vApp: Create / Revert / Remove / a Snapshot

X

X

X

X

vApp: View VM Metrics

X

X

X

VDC Group: Configure VDC Group

X

VDC Group: View VDC Group

X