The organization and service user roles that are defined for the vRealize Automation Cloud Assembly, vRealize Automation Service Broker, and vRealize Automation Code Stream services determine what the user and see and do in each service.

Organization User Roles

User roles are defined for the organization in the vRealize Automation console by an organization owner. There are two types of roles, organization roles and service roles.

The organization roles are global and apply to all services in the organization. The organization-level roles are Organization owner or Organization Member role.

For more information about the organization roles, see Administering vRealize Automation

The vRealize Automation Cloud Assembly service roles, which are service-specific permissions, are also assigned at the organization level in the console.

Service Roles

These service roles are assigned by the organization owner.

This article includes information about the following services.

Cloud Assembly Service Roles

The vRealize Automation Cloud Assembly service roles determine what you can see and do in vRealize Automation Cloud Assembly. These service roles are defined in the console by an organization owner.

Table 1. vRealize Automation Cloud Assembly Service Role Descriptions
Role Description
Cloud Assembly Administrator A user who has read and write access to the entire user interface and API resources. This is the only user role that can see and do everything, including add cloud accounts, create new projects, and assign a project administrator.
Cloud Assembly User A user who does not have the Cloud Assembly Administrator role.

In a vRealize Automation Cloud Assembly project, the administrator adds users to projects as project members, administrators, or viewers. The administrator can also add a project administrator.

Cloud Assembly Viewer A user who has read access to see information but cannot create, update, or delete values. This is a read-only role across all projects.

Users with the viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does.

In addition to the service roles, vRealize Automation Cloud Assembly has project roles. Any project is available in all of the services.

The project roles are defined in vRealize Automation Cloud Assembly and can vary between projects.

In the following tables, which tells you what the different service and project roles can see and do, remember that the service administrators have full permission on all areas of the user interface.

The descriptions of project roles will help you decide what permissions to give your users.

  • Project administrators leverage the infrastructure that is created by the service administrator to ensure that their project members have the resources they need for their development work.
  • Project members work within their projects to design and deploy cloud templates.
  • Project viewers are restricted to read-only access, except in a few cases where they can do non-destructive things like download cloud templates.
Table 2. vRealize Automation Cloud Assembly service roles and project roles
UI Context Task Cloud Assembly Administrator Cloud Assembly Viewer Cloud Assembly User

User must be a project administrator or member to see and do project-related tasks.

Project Administrator Project Member Project Viewer
Access Cloud Assembly
Console In the vRA console, you can see and open Cloud Assembly Yes Yes Yes Yes Yes
Infrastructure
See and open the Infrastructure tab Yes Yes Yes Yes Yes
Configure - Projects Create projects Yes
Update, or delete values from project summary, provisioning, Kubernetes, integrations, and test project configurations. Yes
Add users and groups, and assign roles in projects. Yes Yes. Your projects.
View projects Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Configure - Cloud Zones Create, update, or delete cloud zones Yes
View cloud zones Yes Yes
View cloud zone Insights dashboard Yes Yes
View cloud zones alerts Yes Yes
Configure - Kubernetes Zones Create, update, or delete Kubernetes zones Yes
View Kubernetes zones Yes Yes
Configure - Flavors Create, update, or delete flavors Yes
View flavors Yes Yes
Configure - Image Mappings Create, update, or delete image mappings Yes
View image mappings Yes Yes
Configure - Network Profiles Create, update, or delete network profiles Yes
View image network profiles Yes Yes
Configure - Storage Profiles Create, update, or delete storage profiles Yes
View image storage profiles Yes Yes
Configure - Pricing Cards Create, update, or delete pricing cards Yes
View the pricing cards Yes Yes
Configure - Tags Create, update, or delete tags Yes
View tags Yes Yes
Resources - Compute Add tags to discovered compute resources Yes
View discovered compute resources Yes Yes
Resources - Networks Modify network tags, IP ranges, IP addresses Yes
View discovered network resources Yes Yes
Resources - Security Add tags to discovered security groups Yes
View discovered security groups Yes Yes
Resources - Storage Add tags to discovered storage Yes
View storage Yes Yes
Resources - Machines Add and delete machines Yes
View machines Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Resources - Volumes Delete discovered storage volumes Yes
View discovered storage volumes Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects.
Resources - Kubernetes Deploy or add Kubernetes clusters, and create or add namespaces Yes
View Kubernetes clusters and namespaces Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Activity - Requests Delete deployment request records Yes
View deployment request records Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Activity - Event Logs View event logs Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Connections - Cloud Accounts Create, update, or delete cloud accounts Yes
View cloud accounts Yes Yes
Connections - Integrations Create, update, or delete integrations Yes
View integrations Yes Yes
Onboarding Create, update, or delete onboarding plans Yes
View onboarding plans Yes Yes Yes. Your projects
Marketplace
See and open the Marketplace tab Yes Yes
Use the downloaded cloud templates on the Design tab Yes Yes. If associated with your projects. Yes. If associated with your projects.
Marketplace - Cloud Templates Download a cloud template Yes
View the cloud templates Yes Yes
Marketplace - Images Download images Yes
View images Yes Yes
Marketplace - Downloads View the log of all downloaded items Yes Yes
Extensibility
See and open the Extensibility tab Yes Yes Yes
Events View extensibility events Yes Yes
Subscriptions Create, update, or delete extensibility subscriptions Yes
Deactivate subscriptions Yes
View subscriptions Yes Yes
Library - Event topics View event topics Yes Yes
Library - Actions Create, update, or delete extensibility actions Yes
View extensibility actions Yes Yes
Library - Workflows View extensibility workflows Yes Yes
Activity - Action Runs Cancel or delete extensibility action runs Yes
View extensibility action runs Yes Yes Yes. Your projects
Activity - Workflow Runs View extensibility workflow runs Yes Yes
Design
Design Open the Design tab and see a list of cloud templates Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Cloud Templates Create, update, and delete cloud templates Yes Yes. Your projects Yes. Your projects
View cloud templates Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Download cloud templates Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Upload cloud templates Yes Yes. Your projects Yes. Your projects
Deploy cloud templates Yes Yes. Your projects Yes. Your projects
Version and restore cloud templates Yes Yes. Your projects Yes. Your projects
Release cloud templates to the catalog Yes Yes. Your projects Yes. Your projects
Custom Resources Create, update or delete custom resources Yes
View custom resources Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Custom Actions Create, update, or delete custom actions Yes
View custom actions Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Deployments
See and open the Deployments tab Yes Yes Yes Yes Yes

View deployments, including deployment details, deployment history, price, monitor, alerts, optimize, and troubleshooting information

Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Manage alerts Yes Yes. Your project Yes. your project
Run day 2 actions on deployments based on policies Yes Yes. Your projects Yes. Your projects
Alerts
See and open the Alerts tab Yes Yes Yes Yes Yes
Manage alerts Yes Yes. Your projects Yes. Your projects
View alerts Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects

Service Broker Service Roles

The vRealize Automation Service Broker service roles determine what you can see and do in vRealize Automation Service Broker. These service roles are defined in the console by an organization owner.

Table 3. Service Broker Service Role Descriptions
Role Description
Service Broker Administrator Must have read and write access to the entire user interface and API resources. This is the only user role that can perform all tasks, including creating a new project and assigning a project administrator.
Service Broker User Any user who does not have the vRealize Automation Service Broker Administrator role.

In a vRealize Automation Service Broker project, the administrator adds users to projects as project members, administrators, or viewers. The administrator can also add a project administrator.

Service Broker Viewer A user who has read access to see information but cannot create, update, or delete values.

Users with the viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does.

In addition to the service roles, vRealize Automation Service Broker has project roles. Any project is available in all of the services.

The project roles are defined in vRealize Automation Service Broker and can vary between projects.

In the following tables, which tells you what the different service and project roles can see and do, remember that the service administrators have full permission on all areas of the user interface.

Use the following descriptions of project roles will help you as you decide what permissions to give your users.

  • Project administrators leverage the infrastructure that is created by the service administrator to ensure that their project members have the resources they need for their development work.
  • Project members work within their projects to design and deploy cloud templates.
  • Project viewers are restricted to read-only access.
Table 4. Service Broker Service Roles and Project Roles
UI Context Task Service Broker Administrator Service Broker Viewer Service Broker User

User must be a project administrator to see and do project-related tasks.

Project Administrator Project Member Project Viewer
Access Service Broker
Console In the console, you can see and open Service Broker Yes Yes Yes Yes Yes
Infrastructure
See and open the Infrastructure tab Yes Yes
Configure - Projects Create projects Yes
Update, or delete values from project summary, provisioning, Kubernetes, integrations, and test project configurations. Yes
Add users and groups, and assign roles in projects. Yes Yes. Your projects.
View projects Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Configure - Cloud Zones Create, update, or delete cloud zones Yes
View cloud zones Yes Yes
Configure - Kubernetes Zones Create, update, or delete Kubernetes zones Yes
View Kubernetes zones Yes Yes
Connections - Cloud Accounts Create, update, or delete cloud accounts Yes
View cloud accounts Yes Yes
Connections - Integrations Create, update, or delete integrations Yes
View integrations Yes Yes
Activity - Requests Delete deployment request records Yes
View deployment request records Yes
Activity - Event Logs View event logs Yes
Content and Policies
See and open the Content and Policies tab Yes Yes
Content Sources Create, update, or delete content sources Yes
View content sources Yes Yes
Content Sharing Add or remove shared content Yes
View shared content Yes Yes
Content Customize form and configure item Yes
View content Yes Yes
Policies - Definitions Create, update, or delete policy definitions Yes
View policy definitions Yes Yes
Policies - Enforcement View enforcement log Yes Yes
Notifications - Email Server Configure an email server Yes
Catalog
See and open the Catalog tab Yes Yes Yes Yes Yes
View available catalog items Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Request a catalog item Yes Yes. Your projects Yes. Your projects
Deployments
See and open the Deployments tab Yes Yes Yes. Yes Yes

View deployments, including deployment details, deployment history, price, monitor, alerts, optimize, and troubleshooting information

Yes Yes Yes. Your projects Yes. Your projects Yes. Your projects
Manage alerts Yes Yes. Your projects Yes. Your projects
Run day 2 actions on deployments based on policies Yes Yes. Your projects Yes. Your projects
Approvals
See and open the Approvals tab Yes Yes Yes Yes Yes
Respond to approval requests Yes Service Broker user role only Service Broker user role only Service Broker user role only

Code Stream Service Roles

The vRealize Automation Code Stream service roles determine what you can see and do in vRealize Automation Code Stream. These roles are defined in the console by the organization owner. Any project is available in all of the services.

Table 5. Code Stream Service Role Descriptions
Role Description
Code Stream Administrator A user who has read and write access to the entire user interface and API resources. This is the only user role that can see and do everything, including create projects, integrate endpoints, add triggers, create pipelines and custom dashboards, mark endpoints and variables as restricted resources, run pipelines that use restricted resources, and request that pipelines be published in vRealize Automation Service Broker.
Code Stream Developer A user who can work with pipelines, but cannot work with restricted endpoints or variables. If a pipeline includes a restricted endpoint or variable, this user must obtain approval on the pipeline task that uses the restricted endpoint or variable.
Code Stream Executor A user who can run pipelines and approve or reject user operation tasks. This user can resume, pause, and cancel pipeline executions, but cannot modify pipelines.
Code Stream User A user who can access vRealize Automation Code Stream, but does not have any other privileges in vRealize Automation Code Stream.
Code Stream Viewer A user who has read access to see pipelines, endpoints, pipeline executions, and dashboards, but cannot create, update, or delete them. A user who also has the Service viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does.

In addition to the service roles, vRealize Automation Code Stream has project roles. Any project is available in all the services.

The project roles are defined in vRealize Automation Code Stream and can vary between projects.

In the following tables, which tell you what the different service and project roles can see and do, remember that the service administrators have full permission on all areas of the user interface.

Use the following descriptions of project roles to help you decide what permissions to give your users.

  • Project administrators leverage the infrastructure that is created by the service administrator to ensure that their project members have the resources they need for their development work. The project administrator can add members.
  • Project members who have a service role can use services.
  • Project viewers can see projects but cannot create, update, or delete them.

All actions except restricted means this role has permission to perform create, read, update, and delete actions on entities except for restricted variables and endpoints.

Table 6. vRealize Automation Code Stream service role capabilities
UI Context Capabilities Code Stream Administrator role Code Stream Developer role Code Stream Executor role Code Stream Viewer role Code Stream User role
Pipelines
View pipelines Yes Yes Yes Yes
Create pipelines Yes Yes
Run pipelines Yes Yes Yes
Run pipelines that include restricted endpoints or variables Yes
Update pipelines Yes Yes
Delete pipelines Yes Yes
Pipeline Executions
View pipeline executions Yes Yes Yes Yes
Resume, pause, and cancel pipeline executions Yes Yes Yes
Resume pipelines that stop for approval on restricted resources Yes
Custom Integrations
Create custom integrations Yes Yes
Read custom integrations Yes Yes Yes Yes
Update custom integrations Yes Yes
Endpoints
View executions Yes Yes Yes Yes
Create executions Yes Yes
Update executions Yes Yes
Delete executions Yes Yes
Mark resources as restricted
Mark an endpoint or variable as restricted Yes
Dashboards
View dashboards Yes Yes Yes Yes
Create dashboards Yes Yes
Update dashboards Yes Yes
Delete dashboards Yes Yes

vRA Migration Assistant Service Roles

The vRA Migration Assistant service roles determine what you can see and do in vRA Migration Assistant and Cloud Assembly. These service roles are defined in the console by an organization owner.

Table 7. vRealize Automation Migration Assistant Service Roles Descriptions
Role Description
Migration Assistant Administrator A user who has full view, update, and delete privileges in the vRA Migration Assistant and Cloud Assembly.

This role must also have at least the Cloud Assembly Viewer role.

Migration Assistant Viewer A user who has read access to see information but cannot create, update, or delete values in vRA Migration Assistant or in Cloud Assembly.

This role must also have at least the Cloud Assembly Viewer role.

Orchestrator Service Roles

The Orchestrator service roles determine what you can see and do in vRealize Orchestrator Client. These service roles are defined in the console by an organization owner.

Table 8. vRealize Orchestrator Service Roles Descriptions
Role Description
Orchestrator Administrator A user who has full view, update, and delete privileges in vRealize Orchestrator. An administrator can also access the content created by specific groups.
Orchestrator Viewer A user who has read access to see features and content, including all groups and group content, but cannot create, update, run, delete values, or export content.
Orchestrator Workflow Designer A user who can create, run, edit, and delete their own vRealize Orchestrator Client content. They can add their own content to their assigned group. The workflow designer does not have access to the administration and troubleshooting features of the vRealize Orchestrator Client.

SaltStack Config Service Role

The SaltStack Config service role determines what you can see and do in vRealize Automation. This service role is defined in the console by an organization owner.

Table 9. vRealize Automation SaltStack Config Service Role Description
Role Description
SaltStack Config Administrator A user who can access the SaltStack Config tile on the console when the integration with Cloud Assembly is configured. To log in on the SaltStack Config instance, the user must have SaltStack administrator permissions that are defined in SaltStack Config.

The user must also have the Cloud Assembly Administrator role.