You can use the vRealize Orchestrator Client to set role- and group-based permissions to Orchestrator content and features. Role- and group-based permissions are only available if you configure your Orchestrator instance with vRealize Automation authentication.

After the Orchestrator instance is authenticated, the administrator can set permissions that control access to the vRealize Orchestrator Client features and content. Permissions in the vRealize Orchestrator Client are separated into roles and groups. With roles, you control what vRealize Orchestrator Client features users can view and use . With groups, you control what vRealize Orchestrator Client content users can view and use. Content access covered in group permissions includes workflows, actions, policies, configuration elements, and resource elements. You can use groups to organize users into common projects. For example, you can create a group that includes users that are working on developing a custom Orchestrator plug-in.


Access to pre-configured Orchestrator content like standard workflows and actions is shared between all users, unless configured otherwise through group permissions.


Configured under Administration > Roles Management.




Can access to all vRealize Orchestrator Client features and content, including the content created by specific groups. Responsible for setting user roles, creating and deleting groups, and adding users to groups.


Tenant administrators from the vRealize Automation environment used to authenticate Orchestrator have Administrator rights, by default.

Workflow Designer

Can create, run, edit, and delete vRealize Orchestrator Client content. Does not have access to administration and troubleshooting features of the vRealize Orchestrator Client. Can be added as an administrator or member of a group.


Users from the Orchestrator identity provider with no defined roles can still log in to the client, but have limited access to client features. If they are part of a group, they can view and run content associated with that group.


Configured under Administration > Groups. To give group users permissions to create, edit, and delete content for use in the group, they must first be added in the Roles Management system. Group permissions in the vRealize Orchestrator Client are not tied to Active Directory user groups. For information on Active Directory user groups, see User Group Workflows in the Using VMware vRealize Orchestrator Plug-ins documentation.

Group user permissions


Run and edit

Can create, edit, add, and run Orchestrator objects for use in the group.


Can view and run Orchestrator objects included in the group.


Content created by group members can only be viewed and used by members of that group.