With the role-based access management, users or groups from the configured authentication provider can have different roles in Control Center.

After you configure Orchestrator to work with either vRealize Automation or vSphere as an authentication provider, you can no longer use root to log in to Control Center. For more information, see Configuring a Standalone Orchestrator Server.

Control Center has three predefined roles. The Administrator role includes the permissions of the Tenant Admin role. The Tenant Admin role includes the permissions of the Consumer role.

Control Center Role



Has access to all configuration menus in Control Center.

Tenant Admin

Has access to:


Has access to Inspect Workflows.


Some of the authentication provider roles are automatically mapped to the Control Center roles.

When the authentication is vSphere, users from the Admin group that is selected during the authentication provider configuration can see all options in Control Center. All other users from the vSphere identity provider can log in but they do not see any of the menus in Control Center.

When the authentication provider is vRealize Automation, the vRealize Automation system administrator can see all configuration options in Control Center. The vRealize Automation tenant administrators receive automatically Tenant Admin permissions and all other users from the vRealize Automation identity provider are mapped to the Consumer role.