As an administrator, you can use the vRealize Orchestrator Client to set user roles and group permissions for vRealize Orchestrator features and content.

After the vRealize Orchestrator instance is authenticated, the administrator can set permissions that control access to features and content. Permissions in the vRealize Orchestrator Client are separated into role management and group permissions. With role management, you control what vRealize Orchestrator Client features users can view and use. With group permissions, you control what vRealize Orchestrator Client content users can view and use. Content access covered in group permissions includes workflows, actions, policies, configuration elements, and resource elements. You can use groups to organize users into common projects. For example, you can create a group that includes users working on developing a custom vRealize Orchestrator plug-in.
Note: Access to preconfigured vRealize Orchestrator content like standard workflows and actions is shared among all users, unless configured otherwise through group permissions.
Roles
Client-side role management is only available for vRealize Orchestrator instances authenticated with vSphere that use a vRealize Automation license. For deployments that use a vRealize Automation authentication, you must use the Identity and Access Management feature of vRealize Automation. See Configure vRealize Orchestrator Client Roles in vRealize Automation.
Role Description
Administrator Can access all vRealize Orchestrator Client features and content, including the content created by specific groups. Responsible for setting user roles, creating and deleting groups, and adding users to groups.
Note: Tenant administrators from the vRealize Automation environment used to authenticate vRealize Orchestrator have Administrator rights, by default.
Workflow Designer Can create, run, edit, and delete their own vRealize Orchestrator Client content. Can add their own content to their assigned group. Does not have access to the administration and troubleshooting features of the vRealize Orchestrator Client.
Note: vRealize Automation users with no predefined role can still log in to the vRealize Orchestrator Client, but have limited access to client features. If they are part of a group, these users can view and run content associated with that group.
Groups
Group permissions in the vRealize Orchestrator Client can be used to connect multiple users working on a common vRealize Orchestrator such as developing a custom plug-in.
Group user permissions Description
Run and edit Only available for vRealize Orchestrator instances that use a vRealize Automation license. Can create, edit, add, and run vRealize Orchestrator objects for use in the group.
Run Can view and run vRealize Orchestrator objects included in the group.
Note: Group permissions are tied to the role management system in the vRealize Orchestrator Client. For example, users with no predefined role can have Run and edit permissions, but can only view and run their own content or group content, without the ability to create, edit, and add content.