The organization and service user roles that you defined for the Cloud Assembly, Service Broker, and Code Stream services determine what the user can see and do in each service.
Organization User Roles
User roles are defined for the organization in the vRealize Automation console by an organization owner. There are two types of roles, organization roles and service roles.
The organization roles are global and apply to all services in the organization. The organization-level roles are Organization owner or Organization Member role.
For more information about the organization roles, see Administering vRealize Automation
The Cloud Assembly service roles, which are service-specific permissions, are also assigned at the organization level in the console.
Service Roles
These service roles are assigned by the organization owner.
This article includes information about the following services.
Cloud Assembly Service Roles
The Cloud Assembly service roles determine what you can see and do in Cloud Assembly. These service roles are defined in the console by an organization owner.
| Role | Description |
|---|---|
| Cloud Assembly Administrator | A user who has read and write access to the entire user interface and API resources. This is the only user role that can see and do everything, including add cloud accounts, create new projects, and assign a project administrator. |
| Cloud Assembly User | A user who does not have the Cloud Assembly Administrator role. In a Cloud Assembly project, the administrator adds users to projects as project members, administrators, or viewers. The administrator can also add a project administrator. |
| Cloud Assembly Viewer | A user who has read access to see information but cannot create, update, or delete values. This is a read-only role across all projects in all the services. Users with the viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does. |
In addition to the service roles, Cloud Assembly has project roles. Any project is available in all of the services.
The project roles are defined in Cloud Assembly and can vary between projects.
In the following tables, which tells you what the different service and project roles can see and do, remember that the service administrators have full permission on all areas of the user interface.
The descriptions of project roles will help you decide what permissions to give your users.
- Project administrators leverage the infrastructure that is created by the service administrator to ensure that their project members have the resources they need for their development work.
- Project members work within their projects to design and deploy cloud templates. Your projects can include only resources that you own or resources that are shared with other project members.
- Project viewers are restricted to read-only access, except in a few cases where they can do non-destructive things like download cloud templates.
- Project supervisors are approvers in Service Broker for their projects where an approval policy is defined with a project supervisor approver. To provide the supervisor with context for approvals, consider also granting them the project member or viewer role.
| UI Context | Task | Cloud Assembly Administrator | Cloud Assembly Viewer | Cloud Assembly User User must be a project administrator or member to see and do project-related tasks. |
|||
|---|---|---|---|---|---|---|---|
| Project Administrator | Project Member | Project Viewer | Project Supervisor | ||||
| Access Cloud Assembly | |||||||
| Console | In the vRA console, you can see and open Cloud Assembly | Yes | Yes | Yes | Yes | Yes | Yes |
| Infrastructure | |||||||
| See and open the Infrastructure tab | Yes | Yes | Yes | Yes | Yes | Yes | |
| Configure - Projects | Create projects | Yes | |||||
| Update, or delete values from project summary, provisioning, Kubernetes, integrations, and test project configurations. | Yes | ||||||
| Add users and groups, and assign roles in projects. | Yes | Yes. Your projects. | |||||
| View projects | Yes | Yes | Yes. Your projects | Yes. Your projects | Yes. Your projects | Yes. Your projects | |
| Configure - Cloud Zones | Create, update, or delete cloud zones | Yes | |||||
| View cloud zones | Yes | Yes | |||||
| View cloud zone Insights dashboard | Yes | Yes | |||||
| View cloud zones alerts | Yes | Yes | |||||
| Configure - Kubernetes Zones | Create, update, or delete Kubernetes zones | Yes | |||||
| View Kubernetes zones | Yes | Yes | |||||
| Configure - Flavors | Create, update, or delete flavors | Yes | |||||
| View flavors | Yes | Yes | |||||
| Configure - Image Mappings | Create, update, or delete image mappings | Yes | |||||
| View image mappings | Yes | Yes | |||||
| Configure - Network Profiles | Create, update, or delete network profiles | Yes | |||||
| View image network profiles | Yes | Yes | |||||
| Configure - Storage Profiles | Create, update, or delete storage profiles | Yes | |||||
| View image storage profiles | Yes | Yes | |||||
| Configure - Pricing Cards | Create, update, or delete pricing cards | Yes | |||||
| View the pricing cards | Yes | Yes | |||||
| Configure - Tags | Create, update, or delete tags | Yes | |||||
| View tags | Yes | Yes | |||||
| Resources - Compute | Add tags to discovered compute resources | Yes | |||||
| View discovered compute resources | Yes | Yes | |||||
| Resources - Networks | Modify network tags, IP ranges, IP addresses | Yes | |||||
| View discovered network resources | Yes | Yes | |||||
| Resources - Security | Add tags to discovered security groups | Yes | |||||
| View discovered security groups | Yes | Yes | |||||
| Resources - Storage | Add tags to discovered storage | Yes | |||||
| View storage | Yes | Yes | |||||
| Resources - Kubernetes | Deploy or add Kubernetes clusters, and create or add namespaces | Yes | |||||
| View Kubernetes clusters and namespaces | Yes | Yes | Yes. Your projects | Yes. Your projects | Yes. Your projects | ||
| Activity - Requests | Delete deployment request records | Yes | |||||
| View deployment request records | Yes | Yes | Yes. Your projects | Yes. Your projects | Yes. Your projects | ||
| Activity - Event Logs | View event logs | Yes | Yes | Yes. Your projects | Yes. Your projects | Yes. Your projects | |
| Connections - Cloud Accounts | Create, update, or delete cloud accounts | Yes | |||||
| View cloud accounts | Yes | Yes | |||||
| Connections - Integrations | Create, update, or delete integrations | Yes | |||||
| View integrations | Yes | Yes | |||||
| Onboarding | Create, update, or delete onboarding plans | Yes | |||||
| View onboarding plans | Yes | Yes. Your projects | |||||
| Extensibility | |||||||
| See and open the Extensibility tab | Yes | Yes | Yes | ||||
| Events | View extensibility events | Yes | Yes | ||||
| Subscriptions | Create, update, or delete extensibility subscriptions | Yes | |||||
| Deactivate subscriptions | Yes | ||||||
| View subscriptions | Yes | Yes | |||||
| Library - Event topics | View event topics | Yes | Yes | ||||
| Library - Actions | Create, update, or delete extensibility actions | Yes | |||||
| View extensibility actions | Yes | Yes | |||||
| Library - Workflows | View extensibility workflows | Yes | Yes | ||||
| Activity - Action Runs | Cancel or delete extensibility action runs | Yes | |||||
| View extensibility action runs | Yes | Yes | Yes. Your projects | ||||
| Activity - Workflow Runs | View extensibility workflow runs | Yes | Yes | ||||
| Design | |||||||
| Design | Open the Design tab | Yes | Yes | Yes. | Yes. | Yes. | Yes |
| Cloud Templates | Create, update, and delete cloud templates | Yes | Yes. Your projects | Yes. Your projects | |||
| View cloud templates | Yes | Yes | Yes. Your projects | Yes. Your projects | Yes. Your projects | ||
| Download cloud templates | Yes | Yes | Yes. Your projects | Yes. Your projects | Yes. Your projects | ||
| Upload cloud templates | Yes | Yes. Your projects | Yes. Your projects | ||||
| Deploy cloud templates | Yes | Yes. Your projects | Yes. Your projects | ||||
| Version and restore cloud templates | Yes | Yes. Your projects | Yes. Your projects | ||||
| Release cloud templates to the catalog | Yes | Yes. Your projects | Yes. Your projects | ||||
| Custom Resources | Create, update or delete custom resources | Yes | |||||
| View custom resources | Yes | Yes | Yes. Your projects | Yes. Your projects | Yes. Your projects | ||
| Custom Actions | Create, update, or delete custom actions | Yes | |||||
| View custom actions | Yes | Yes | Yes. Your projects | Yes. Your projects | Yes. Your projects | ||
| Resources | |||||||
| See and open the Resources tab | Yes | Yes | Yes | Yes | Yes | Yes | |
| Deployments | View deployments including deployment details, deployment history, price, monitor, alerts, optimize, and troubleshooting information |
Yes | Yes | Yes. Your projects | Yes. Your projects | Yes. Your projects | |
| Manage alerts | Yes | Yes. Your projects | Yes. your projects | ||||
| Run day 2 actions on deployments based on policies | Yes | Yes. Your projects | Yes. Your projects | ||||
| Resources - All Resources | View all discovered resources | Yes | Yes | ||||
| Run day 2 actions on discovered resources. Actions available only on machines and limited to power on and off for all machines, and remote console for vSphere machines. |
Yes | ||||||
| Resources - All Resources | View deployed, onboarded, migrated resources | Yes | Yes | Yes. Your projects. | Yes. Your projects. | Yes. Your projects. | |
| Run Day 2 actions on deployed, onboarded, and migrated resources based on policies | Yes | Yes | Yes. Your projects. | Yes. Your projects. | |||
| Resources - Virtual Machines | View discovered machines | Yes | Yes | ||||
| Run day 2 actions on discovered machines. Actions are limited to power on and off, and remote console for vSphere machines. |
Yes | ||||||
| Create New VM | Yes | ||||||
| View deployed, onboarded, and migrated resources. | Yes | Yes. Your projects. | Yes. Your projects. | Yes. Your projects. | |||
| Run day 2 actions on deployed, onboarded, and migrated resources based on policies | Yes | Yes. Your projects. | Yes. Your projects. | ||||
| Resources - Volumes | View discovered volumes | Yes | Yes | ||||
| No day 2 actions available | |||||||
| View deployed, onboarded, and migrated volumes | Yes | Yes | Yes. Your projects. | Yes. Your projects. | Yes. Your projects. | ||
| Run day 2 actions on deployed, onboarded, and migrated volumes based on policies | Yes | Yes. Your projects. | Yes. Your projects. | ||||
| Resources - Networkin and Security | View discovered networks, load balancers, and security groups | Yes | Yes | ||||
| No day 2 actions available | |||||||
| View deployed, onboarded, and migrated networks, load balancers, and security groups | Yes | Yes | Yes. Your projects. | Yes. Your projects. | Yes. Your projects. | ||
| Run day 2 actions on deployed, onboarded, and migrated networks, load balancers, and security groups based on policies | Yes | Yes. Your projects. | Yes. Your projects. | ||||
| Alerts | |||||||
| See and open the Alerts tab | Yes | Yes | Yes | Yes | Yes | ||
| Manage alerts | Yes | Yes. Your projects | Yes. Your projects | ||||
| View alerts | Yes | Yes | Yes. Your projects | Yes. Your projects | Yes. Your projects | ||
Service Broker Service Roles
The Service Broker service roles determine what you can see and do in Service Broker. These service roles are defined in the console by an organization owner.
| Role | Description |
|---|---|
| Service Broker Administrator | Must have read and write access to the entire user interface and API resources. This is the only user role that can perform all tasks, including creating a new project and assigning a project administrator. |
| Service Broker User | Any user who does not have the Service Broker Administrator role. In a Service Broker project, the administrator adds users to projects as project members, administrators, or viewers. The administrator can also add a project administrator. |
| Service Broker Viewer | A user who has read access to see information but cannot create, update, or delete values. This is a read-only role across all projects in all the services. Users with the viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does. |
In addition to the service roles, Service Broker has project roles. Any project is available in all of the services.
The project roles are defined in Service Broker and can vary between projects.
In the following tables, which tells you what the different service and project roles can see and do, remember that the service administrators have full permission on all areas of the user interface.
Use the following descriptions of project roles will help you as you decide what permissions to give your users.
- Project administrators leverage the infrastructure that is created by the service administrator to ensure that their project members have the resources they need for their development work.
- Project members work within their projects to design and deploy cloud templates. In the following table, Your projects can include only resources that you own or resources that are shared with other project members.
- Project viewers are restricted to read-only access.
- Project supervisors are approvers in Service Broker for their projects where an approval policy is defined with a project supervisor approver. To provide the supervisor with context for approvals, consider also granting them the project member or viewer role.
| UI Context | Task | Service Broker Administrator | Service Broker Viewer | Service Broker User User must be a project administrator to see and do project-related tasks. |
|||
|---|---|---|---|---|---|---|---|
| Project Administrator | Project Member | Project Viewer | Project Supervisor | ||||
| Access Service Broker | |||||||
| Console | In the console, you can see and open Service Broker | Yes | Yes | Yes | Yes | Yes | Yes |
| Infrastructure | |||||||
| See and open the Infrastructure tab | Yes | Yes | |||||
| Configure - Projects | Create projects | Yes | |||||
| Update, or delete values from project summary, provisioning, Kubernetes, integrations, and test project configurations. | Yes | ||||||
| Add users and groups, and assign roles in projects. | Yes | Yes. Your projects. | |||||
| View projects | Yes | Yes | Yes. Your projects | Yes. Your projects | Yes. Your projects | ||
| Configure - Cloud Zones | Create, update, or delete cloud zones | Yes | |||||
| View cloud zones | Yes | Yes | |||||
| Configure - Kubernetes Zones | Create, update, or delete Kubernetes zones | Yes | |||||
| View Kubernetes zones | Yes | Yes | |||||
| Connections - Cloud Accounts | Create, update, or delete cloud accounts | Yes | |||||
| View cloud accounts | Yes | Yes | |||||
| Connections - Integrations | Create, update, or delete integrations | Yes | |||||
| View integrations | Yes | Yes | |||||
| Activity - Requests | Delete deployment request records | Yes | |||||
| View deployment request records | Yes | ||||||
| Activity - Event Logs | View event logs | Yes | |||||
| Content and Policies | |||||||
| See and open the Content and Policies tab | Yes | Yes | |||||
| Content Sources | Create, update, or delete content sources | Yes | |||||
| View content sources | Yes | Yes | |||||
| Content | Customize form and configure item | Yes | |||||
| View content | Yes | Yes | |||||
| Policies - Definitions | Create, update, or delete policy definitions | Yes | |||||
| View policy definitions | Yes | Yes | |||||
| Policies - Enforcement | View enforcement log | Yes | Yes | ||||
| Notifications - Email Server | Configure an email server | Yes | |||||
| Catalog | |||||||
| See and open the Catalog tab | Yes | Yes | Yes | Yes | Yes | Yes | |
| View available catalog items | Yes | Yes | Yes. Your projects | Yes. Your projects | Yes. Your projects | ||
| Request a catalog item | Yes | Yes. Your projects | Yes. Your projects | ||||
| Resources | |||||||
| See and open the Resources tab | Yes | Yes | Yes. | Yes | Yes | Yes | |
| Deployments | View deployments, including deployment details, deployment history, price, monitor, alerts, optimize, and troubleshooting information |
Yes | Yes | Yes. Your projects | Yes. Your projects | Yes. Your projects | |
| Manage alerts | Yes | Yes. Your projects | Yes. Your projects | ||||
| Run day 2 actions on deployments based on policies | Yes | Yes. Your projects | Yes. Your projects | ||||
| Resources - All Resources | View all discovered resources | Yes | Yes | ||||
| Run day 2 actions on discovered resources. Actions available only on machines and limited to power on and off for all machines, and remote console for vSphere machines. |
Yes | ||||||
| Resources - All Resources | View deployed, onboarded, migrated resources | Yes | Yes | Yes. Your projects. | Yes. Your projects. | Yes. Your projects. | |
| Run Day 2 actions on deployed, onboarded, and migrated resources based on policies | Yes | Yes | Yes. Your projects. | Yes. Your projects. | |||
| Resources - Virtual Machines | View discovered machines | Yes | Yes | ||||
| Run day 2 actions on discovered machines. Actions are limited to power on and off, and remote console for vSphere machines. |
Yes | ||||||
| Create New VM | Yes | ||||||
| View deployed, onboarded, and migrated resources. | Yes | Yes. Your projects. | Yes. Your projects. | Yes. Your projects. | |||
| Run day 2 actions on deployed, onboarded, and migrated resources based on policies | Yes | Yes. Your projects. | Yes. Your projects. | ||||
| Resources - Volumes | View discovered volumes | Yes | Yes | ||||
| No day 2 actions available | |||||||
| View deployed, onboarded, and migrated volumes | Yes | Yes | Yes. Your projects. | Yes. Your projects. | Yes. Your projects. | ||
| Run day 2 actions on deployed, onboarded, and migrated volumes based on policies | Yes | Yes. Your projects. | Yes. Your projects. | ||||
| Resources - Networking and Security | View discovered networks, load balancers, and security groups | Yes | Yes | ||||
| No day 2 actions available | |||||||
| View deployed, onboarded, and migrated networks, load balancers, and security groups | Yes | Yes | Yes. Your projects. | Yes. Your projects. | Yes. Your projects. | ||
| Run day 2 actions on deployed, onboarded, and migrated networks, load balancers, and security groups based on policies | Yes | Yes. Your projects. | Yes. Your projects. | ||||
| Approvals | |||||||
| See and open the Approvals tab | Yes | Yes | Yes | Yes | Yes | Yes | |
| Respond to approval requests | Yes | Yes. Your projects and the policy approver is Project Administrator | Only if you are a named approver | Only if you are a named approver | Yes. Your projects and the policy approver is Project Supervisor | ||
Code Stream Service Roles
The Code Stream service roles determine what you can see and do in Code Stream. These roles are defined in the console by the organization owner. Any project is available in all of the services.
| Role | Description |
|---|---|
| Code Stream Administrator | A user who has read and write access to the entire user interface and API resources. This is the only user role that can see and do everything, including create projects, integrate endpoints, add triggers, create pipelines and custom dashboards, mark endpoints and variables as restricted resources, run pipelines that use restricted resources, and request that pipelines be published in Service Broker. |
| Code Stream Developer | A user who can work with pipelines, but cannot work with restricted endpoints or variables. If a pipeline includes a restricted endpoint or variable, this user must obtain approval on the pipeline task that uses the restricted endpoint or variable. |
| Code Stream Executor | A user who can run pipelines and approve or reject user operation tasks. This user can resume, pause, and cancel pipeline executions, but cannot modify pipelines. |
| Code Stream User | A user who can access Code Stream, but does not have any other privileges in Code Stream. |
| Code Stream Viewer | A user who has read access to see pipelines, endpoints, pipeline executions, and dashboards, but cannot create, update, or delete them. A user who also has the Service viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does. |
In addition to the service roles, Code Stream has project roles. Any project is available in all the services.
The project roles are defined in Code Stream and can vary between projects.
In the following tables, which tell you what the different service and project roles can see and do, remember that the service administrators have full permission on all areas of the user interface.
Use the following descriptions of project roles to help you decide what permissions to give your users.
- Project administrators leverage the infrastructure that is created by the service administrator to ensure that their project members have the resources they need for their development work. The project administrator can add members.
- Project members who have a service role can use services.
- Project viewers can see projects but cannot create, update, or delete them.
All actions except restricted means this role has permission to perform create, read, update, and delete actions on entities except for restricted variables and endpoints.
| UI Context | Capabilities | Code Stream Administrator role | Code Stream Developer role | Code Stream Executor role | Code Stream Viewer role | Code Stream User role |
|---|---|---|---|---|---|---|
| Pipelines | ||||||
| View pipelines | Yes | Yes | Yes | Yes | ||
| Create pipelines | Yes | Yes | ||||
| Run pipelines | Yes | Yes | Yes | |||
| Run pipelines that include restricted endpoints or variables | Yes | |||||
| Update pipelines | Yes | Yes | ||||
| Delete pipelines | Yes | Yes | ||||
| Pipeline Executions | ||||||
| View pipeline executions | Yes | Yes | Yes | Yes | ||
| Resume, pause, and cancel pipeline executions | Yes | Yes | Yes | |||
| Resume pipelines that stop for approval on restricted resources | Yes | |||||
| Custom Integrations | ||||||
| Create custom integrations | Yes | Yes | ||||
| Read custom integrations | Yes | Yes | Yes | Yes | ||
| Update custom integrations | Yes | Yes | ||||
| Endpoints | ||||||
| View executions | Yes | Yes | Yes | Yes | ||
| Create executions | Yes | Yes | ||||
| Update executions | Yes | Yes | ||||
| Delete executions | Yes | Yes | ||||
| Mark resources as restricted | ||||||
| Mark an endpoint or variable as restricted | Yes | |||||
| Dashboards | ||||||
| View dashboards | Yes | Yes | Yes | Yes | ||
| Create dashboards | Yes | Yes | ||||
| Update dashboards | Yes | Yes | ||||
| Delete dashboards | Yes | Yes |
vRA Migration Assistant Service Roles
The vRA Migration Assistant service roles determine what you can see and do in vRA Migration Assistant and Cloud Assembly. These service roles are defined in the console by an organization owner.
| Role | Description |
|---|---|
| Migration Assistant Administrator | A user who has full view, update, and delete privileges in the vRA Migration Assistant and Cloud Assembly. This role must also have at least the Cloud Assembly Viewer role. |
| Migration Assistant Viewer | A user who has read access to see information but cannot create, update, or delete values in vRA Migration Assistant or in Cloud Assembly. This role must also have at least the Cloud Assembly Viewer role. |
Orchestrator Service Roles
The Orchestrator service roles determine what you can see and do in vRealize Orchestrator Client. These service roles are defined in the console by an organization owner.
| Role | Description |
|---|---|
| Orchestrator Administrator | A user who has full view, update, and delete privileges in vRealize Orchestrator. An administrator can also access the content created by specific groups. |
| Orchestrator Viewer | A user who has read access to see features and content, including all groups and group content, but cannot create, update, run, delete values, or export content. This is a read-only role across all projects in all the services. |
| Orchestrator Workflow Designer | A user who can create, run, edit, and delete their own vRealize Orchestrator Client content. They can add their own content to their assigned group. The workflow designer does not have access to the administration and troubleshooting features of the vRealize Orchestrator Client. |
SaltStack Config Service Role
The SaltStack Config service role determines what you can see and do in vRealize Automation. This service role is defined in the console by an organization owner.
| Role | Description |
|---|---|
| SaltStack Config Administrator | A user who can access the SaltStack Config tile on the console when the integration with Cloud Assembly is configured. To log in on the SaltStack Config instance, the user must have SaltStack administrator permissions that are defined in SaltStack Config. The user must also have the Cloud Assembly Administrator role. |
