As a organization owner, you can assign users organization roles and service roles. The roles determine what the users can do or see. Then, in the services, the service administrator can assign project roles. To determine the role that you want to assign, evaluate the tasks in the following tables.

Cloud Assembly Service Roles

The Cloud Assembly service roles determine what you can see and do in Cloud Assembly. These service roles are defined in the console by an organization owner.

Table 1. Cloud Assembly Service Role Descriptions
Role Description
Cloud Assembly Administrator A user who has read and write access to the entire user interface and API resources. This is the only user role that can see and do everything, including add cloud accounts, create new projects, and assign a project administrator.
Cloud Assembly User A user who does not have the Cloud Assembly Administrator role.

In a Cloud Assembly project, the administrator adds users to projects as project members, administrators, or viewers. The administrator can also add a project administrator.

Cloud Assembly Viewer A user who has read access to see information but cannot create, update, or delete values. This is a read-only role across all projects in all the services.

Users with the viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does.

In addition to the service roles, Cloud Assembly has project roles. Any project is available in all of the services.

The project roles are defined in Cloud Assembly and can vary between projects.

In the following tables, which tells you what the different service and project roles can see and do, remember that the service administrators have full permission on all areas of the user interface.

The descriptions of project roles will help you decide what permissions to give your users.

  • Project administrators leverage the infrastructure that is created by the service administrator to ensure that their project members have the resources they need for their development work.
  • Project members work within their projects to design and deploy cloud templates. Your projects can include only resources that you own or resources that are shared with other project members.
  • Project viewers are restricted to read-only access, except in a few cases where they can do non-destructive things like download cloud templates.
  • Project supervisors are approvers in Service Broker for their projects where an approval policy is defined with a project supervisor approver. To provide the supervisor with context for approvals, consider also granting them the project member or viewer role.
Table 2. Cloud Assembly service roles and project roles
UI Context Task Cloud Assembly Administrator Cloud Assembly Viewer Cloud Assembly User

User must be a project administrator or member to see and do project-related tasks.

Project Administrator Project Member Project Viewer Project Supervisor
Access Cloud Assembly
Console In the vRA console, you can see and open Cloud Assembly Yes Yes Yes Yes Yes Yes
Infrastructure
See and open the Infrastructure tab Yes Yes Yes Yes Yes Yes
Administration - Projects Create projects Yes
Update, or delete values from project summary, provisioning, Kubernetes, integrations, and test project configurations. Yes
Add users and groups, and assign roles in projects. Yes Yes. Your projects.
View projects Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects Yes. Your projects
Administration - Users and Groups View the users and groups assigned to custom roles. Yes
Administration - Custom Roles Create custom user roles and assign them to users and groups. Yes
Administration - Custom Names Create custom resource names. Yes
Administration - Secrets Create and delete secret reusable properties. Yes
Administration - Settings Turn on or off internal settings. Yes
Configure - Cloud Zones Create, update, or delete cloud zones Yes
View cloud zones Yes Yes
View cloud zone Insights dashboard Yes Yes
View cloud zones alerts Yes Yes
Configure - Kubernetes Zones Create, update, or delete Kubernetes zones Yes
View Kubernetes zones Yes Yes
Configure - Flavors Create, update, or delete flavors Yes
View flavors Yes Yes
Configure - Image Mappings Create, update, or delete image mappings Yes
View image mappings Yes Yes
Configure - Network Profiles Create, update, or delete network profiles Yes
View image network profiles Yes Yes
Configure - Storage Profiles Create, update, or delete storage profiles Yes
View image storage profiles Yes Yes
Configure - Pricing Cards Create, update, or delete pricing cards Yes
View the pricing cards Yes Yes
Configure - Tags Create, update, or delete tags Yes
View tags Yes Yes
Resources - Compute Add tags to discovered compute resources Yes
View discovered compute resources Yes Yes
Resources - Networks Modify network tags, IP ranges, IP addresses Yes
View discovered network resources Yes Yes
Resources - Security Add tags to discovered security groups Yes
View discovered security groups Yes Yes
Resources - Storage Add tags to discovered storage Yes
View storage Yes Yes
Resources - Kubernetes Deploy or add Kubernetes clusters, and create or add namespaces Yes
View Kubernetes clusters and namespaces Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Activity - Requests Delete deployment request records Yes
View deployment request records Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Activity - Event Logs View event logs Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Connections - Cloud Accounts Create, update, or delete cloud accounts Yes
View cloud accounts Yes Yes
Connections - Integrations Create, update, or delete integrations Yes
View integrations Yes Yes
Onboarding Create, update, or delete onboarding plans Yes
View onboarding plans Yes Yes. Your projects
Extensibility
See and open the Extensibility tab Yes Yes Yes
Events View extensibility events Yes Yes
Subscriptions Create, update, or delete extensibility subscriptions Yes
Deactivate subscriptions Yes
View subscriptions Yes Yes
Library - Event topics View event topics Yes Yes
Library - Actions Create, update, or delete extensibility actions Yes
View extensibility actions Yes Yes
Library - Workflows View extensibility workflows Yes Yes
Activity - Action Runs Cancel or delete extensibility action runs Yes
View extensibility action runs Yes Yes Yes. Your projects
Activity - Workflow Runs View extensibility workflow runs Yes Yes
Design
Design Open the Design tab Yes Yes Yes. Yes. Yes. Yes
Cloud Templates Create, update, and delete cloud templates Yes Yes. Your projects Yes. Your projects
View cloud templates Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Download cloud templates Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Upload cloud templates Yes Yes. Your projects Yes. Your projects
Deploy cloud templates Yes Yes. Your projects Yes. Your projects
Version and restore cloud templates Yes Yes. Your projects Yes. Your projects
Release cloud templates to the catalog Yes Yes. Your projects Yes. Your projects
Custom Resources Create, update or delete custom resources Yes
View custom resources Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Custom Actions Create, update, or delete custom actions Yes
View custom actions Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Resources
See and open the Resources tab Yes Yes Yes Yes Yes Yes
Deployments

View deployments including deployment details, deployment history, price, monitor, alerts, optimize, and troubleshooting information

Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Manage alerts Yes Yes. Your projects Yes. your projects
Run day 2 actions on deployments based on policies Yes Yes. Your projects Yes. Your projects
Resources - All Resources View all discovered resources Yes Yes
Run day 2 actions on discovered resources.

Actions available only on machines and limited to power on and off for all machines, and remote console for vSphere machines.

Yes
Resources - All Resources View deployed, onboarded, migrated resources Yes Yes Yes. Your projects. Yes. Your projects. Yes. Your projects.
Run Day 2 actions on deployed, onboarded, and migrated resources based on policies Yes Yes Yes. Your projects. Yes. Your projects.
Resources - Virtual Machines View discovered machines Yes Yes
Run day 2 actions on discovered machines.

Actions are limited to power on and off, and remote console for vSphere machines.

Yes

Create New VM

This option is available to administrators. However, if an administrator turns on the setting, then it is available to the other users roles. To activate the option, select Infrastructure > Administration > Settings and turn on Create new resource.

By activating the option, Service Broker users can create VMs based on any image and any flavor even though they are not administrators themselves. To avoid the potential overconsumption of resources, administrators can create approval policies to reject or approve any deployment requests based on the image used or the flavor or size requested.

Yes Yes. Your projects. Yes. Your projects. Yes. Your projects.
View deployed, onboarded, and migrated resources. Yes Yes. Your projects. Yes. Your projects. Yes. Your projects.
Run day 2 actions on deployed, onboarded, and migrated resources based on policies Yes Yes. Your projects. Yes. Your projects.
Resources - Volumes View discovered volumes Yes Yes
No day 2 actions available
View deployed, onboarded, and migrated volumes Yes Yes Yes. Your projects. Yes. Your projects. Yes. Your projects.
Run day 2 actions on deployed, onboarded, and migrated volumes based on policies Yes Yes. Your projects. Yes. Your projects.
Resources - Networkin and Security View discovered networks, load balancers, and security groups Yes Yes
No day 2 actions available
View deployed, onboarded, and migrated networks, load balancers, and security groups Yes Yes Yes. Your projects. Yes. Your projects. Yes. Your projects.
Run day 2 actions on deployed, onboarded, and migrated networks, load balancers, and security groups based on policies Yes Yes. Your projects. Yes. Your projects.
Alerts
See and open the Alerts tab Yes Yes Yes Yes Yes
Manage alerts Yes Yes. Your projects Yes. Your projects
View alerts Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects

Service Broker Service Roles

The Service Broker service roles determine what you can see and do in Service Broker. These service roles are defined in the console by an organization owner.

Table 3. Service Broker Service Role Descriptions
Role Description
Service Broker Administrator Must have read and write access to the entire user interface and API resources. This is the only user role that can perform all tasks, including creating a new project and assigning a project administrator.
Service Broker User Any user who does not have the Service Broker Administrator role.

In a Service Broker project, the administrator adds users to projects as project members, administrators, or viewers. The administrator can also add a project administrator.

Service Broker Viewer A user who has read access to see information but cannot create, update, or delete values. This is a read-only role across all projects in all the services.

Users with the viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does.

In addition to the service roles, Service Broker has project roles. Any project is available in all of the services.

The project roles are defined in Service Broker and can vary between projects.

In the following tables, which tells you what the different service and project roles can see and do, remember that the service administrators have full permission on all areas of the user interface.

Use the following descriptions of project roles will help you as you decide what permissions to give your users.

  • Project administrators leverage the infrastructure that is created by the service administrator to ensure that their project members have the resources they need for their development work.
  • Project members work within their projects to design and deploy cloud templates. In the following table, Your projects can include only resources that you own or resources that are shared with other project members.
  • Project viewers are restricted to read-only access.
  • Project supervisors are approvers in Service Broker for their projects where an approval policy is defined with a project supervisor approver. To provide the supervisor with context for approvals, consider also granting them the project member or viewer role.
Table 4. Service Broker Service Roles and Project Roles
UI Context Task Service Broker Administrator Service Broker Viewer Service Broker User

User must be a project administrator to see and do project-related tasks.

Project Administrator Project Member Project Viewer Project Supervisor
Access Service Broker
Console In the console, you can see and open Service Broker Yes Yes Yes Yes Yes Yes
Infrastructure
See and open the Infrastructure tab Yes Yes
Administration - Projects Create projects Yes
Update, or delete values from project summary, provisioning, Kubernetes, integrations, and test project configurations. Yes
Add users and groups, and assign roles in projects. Yes Yes. Your projects.
View projects Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Administration - Custom Roles Create custom user roles and assign them to users and groups. Yes
Administration - Custom Names Create custom resource names. Yes
Administration - Secrets Create and delete secret reusable properties. Yes
Administration - Settings Turn on or off internal settings. Yes
Administration - Users and Groups View the users and groups assigned to custom roles. Yes
Configure - Cloud Zones Create, update, or delete cloud zones Yes
View cloud zones Yes Yes
Configure - Kubernetes Zones Create, update, or delete Kubernetes zones Yes
View Kubernetes zones Yes Yes
Connections - Cloud Accounts Create, update, or delete cloud accounts Yes
View cloud accounts Yes Yes
Connections - Integrations Create, update, or delete integrations Yes
View integrations Yes Yes
Activity - Requests Delete deployment request records Yes
View deployment request records Yes
Activity - Event Logs View event logs Yes
Content and Policies
See and open the Content and Policies tab Yes Yes
Content Sources Create, update, or delete content sources Yes
View content sources Yes Yes
Content Customize form and configure item Yes
View content Yes Yes
Policies - Definitions Create, update, or delete policy definitions Yes
View policy definitions Yes Yes
Policies - Enforcement View enforcement log Yes Yes
Notifications - Email Server Configure an email server Yes
Consume
See and open the Consume tab Yes Yes Yes Yes Yes Yes
Projects See and search projects Yes Yes. Your projects Yes. Your projects Yes. Your projects Yes. Your projects Yes. Your projects
Catalog See and open the Catalog page Yes Yes Yes Yes Yes Yes
View available catalog items Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Request a catalog item Yes Yes. Your projects Yes. Your projects
Deployments - Deployments

View deployments, including deployment details, deployment history, price, monitor, alerts, optimize, and troubleshooting information

Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Manage alerts Yes Yes. Your projects Yes. Your projects
Run day 2 actions on deployments based on policies Yes Yes. Your projects Yes. Your projects
Deployments - Resources View all discovered resources Yes Yes
Run day 2 actions on discovered resources.

Actions available only on machines and limited to power on and off for all machines, and remote console for vSphere machines.

Yes
Deployments - All Resources View deployed, onboarded, migrated resources Yes Yes Yes. Your projects. Yes. Your projects. Yes. Your projects.
Run Day 2 actions on deployed, onboarded, and migrated resources based on policies Yes Yes Yes. Your projects. Yes. Your projects.
Deployments - Virtual Machines View discovered machines Yes Yes
Run day 2 actions on discovered machines.

Actions are limited to power on and off, and remote console for vSphere machines.

Yes

Create New VM

This option is available in Service Broker if your administrator activates the option. To activate the option, select Infrastructure > Administration > Settings.

By activating the option, Service Broker users can create VMs based on any image and any flavor even though they are not administrators themselves. To avoid the potential overconsumption of resources, administrators can create approval policies to reject or approve any deployment requests based on the image used or the flavor or size requested.

Yes Yes. Your projects. Yes. Your projects. Yes. Your projects.
View deployed, onboarded, and migrated resources. Yes Yes. Your projects. Yes. Your projects. Yes. Your projects.
Run day 2 actions on deployed, onboarded, and migrated resources based on policies Yes Yes. Your projects. Yes. Your projects.
Deployments - Volumes View discovered volumes Yes Yes
No day 2 actions available
View deployed, onboarded, and migrated volumes Yes Yes Yes. Your projects. Yes. Your projects. Yes. Your projects.
Run day 2 actions on deployed, onboarded, and migrated volumes based on policies Yes Yes. Your projects. Yes. Your projects.
Deployments - Networking and Security View discovered networks, load balancers, and security groups Yes Yes
No day 2 actions available
View deployed, onboarded, and migrated networks, load balancers, and security groups Yes Yes Yes. Your projects. Yes. Your projects. Yes. Your projects.
Run day 2 actions on deployed, onboarded, and migrated networks, load balancers, and security groups based on policies Yes Yes. Your projects. Yes. Your projects.
Inbox
See and open the Inbox tab Yes Yes
Approvals View approval requests Yes Yes Yes Yes Yes Yes
Respond to approval requests Yes Yes. Your projects and the policy approver is Project Administrator Only if you are a named approver Only if you are a named approver Yes. Your projects and the policy approver is Project Supervisor
User Input Requests View user input requests Yes Yes Yes Yes
Respond to user input requests Yes Yes. Your projects and you are assigned to provide input Only if you are assigned to provide input