As an administrator, you can use the vRealize Orchestrator Client to set user roles and group permissions for vRealize Orchestrator features and content.

After the vRealize Orchestrator instance is authenticated, the administrator can set permissions that control access to features and content. Permissions in the vRealize Orchestrator Client are separated into role management and group permissions. With role management, you control what vRealize Orchestrator Client features users can view and use. With group permissions, you control what vRealize Orchestrator Client content users can view and use. Content access covered in group permissions includes workflows, actions, policies, configuration elements, and resource elements. You can use groups to organize users into common projects. For example, you can create a group that includes users working on developing a custom vRealize Orchestrator plug-in.
Note: Access to pre-configured vRealize Orchestrator content like standard workflows and actions is shared among all users, unless configured otherwise through group permissions.
Roles
Role management is only available for vRealize Orchestrator instances authenticated with vRealize Automation. Permissions management for vRealize Orchestrator instances authenticated with vSphere is limited to group permissions.
Role Description
Administrator Can access all vRealize Orchestrator Client features and content, including the content created by specific groups. Responsible for setting user roles, creating and deleting groups, and adding users to groups.
Note: Tenant administrators from the vRealize Automation environment used to authenticate vRealize Orchestrator have Administrator rights, by default.
Workflow Designer Can create, run, edit, and delete their own vRealize Orchestrator Client content. Can add their own content to their assigned group. Does not have access to the administration and troubleshooting features of the vRealize Orchestrator Client.
Note: vRealize Automation users with no predefined role can still log in to the vRealize Orchestrator Client, but have limited access to client features. If they are part of a group, these users can view and run content associated with that group.
Groups
Group permissions in the vRealize Orchestrator Client are not tied to Active Directory user groups. For information on Active Directory user groups, see User Group Workflows in the Using VMware vRealize Orchestrator Plug-ins documentation.
Group user permissions Description
Run and edit Only available for vRealize Orchestrator instances authenticated with vRealize Automation. Can create, edit, add, and run vRealize Orchestrator objects for use in the group.
Run Can view and run vRealize Orchestrator objects included in the group.
Note: Group permissions are tied to the role management system in the vRealize Orchestrator Client. For example, users with no predefined role can have Run and edit permissions, but can only view and run their own content or group content, without the ability to create, edit, and add content.