vRealize Orchestrator Roles and Groups

vRealize Orchestrator administrators can set permissions that control access to features and content in the vRealize Orchestrator Client. Access rights are separated into user roles and group permissions.

Roles control what vRealize Orchestrator Client features users can view and use. Access to the role management functionality depends on the license type of your vRealize Orchestrator environment.

Table 1. License-Based Access to vRealize Orchestrator Role Management
License	Authentication
License	vSphere	vRealize Automation
vSphere	Role management is not supported. Groups support only Run permissions.
vRealize Automation	Manage roles in the vRealize Orchestrator Client. See Assign Roles in the vRealize Orchestrator Client.	Manage roles through Identity and Access Management in vRealize Automation. See Configure vRealize Orchestrator Client Roles in vRealize Automation.

Group permissions control what vRealize Orchestrator Client content users can view and use, such as workflows, actions, policies, configuration elements, and resource elements. Access to preconfigured system vRealize Orchestrator content like standard workflows and actions is shared among all users, unless configured otherwise through group permissions.

Access rights of users with administrator and viewer roles are not restricted by group permissions. Access rights of users without an assigned role and users with a workflow designer role depend on the group assigned to them. You can extend the access rights of these users by modifying their group permissions. In this way, you can organize users into common projects. For example, you can create a group that includes users working on developing a custom vRealize Orchestrator plug-in and allow them to modify only content that is specific to their group.

Table 2. vRealize Orchestrator User Roles and Groups Permissions
Role	Access Rights
Administrator	Administrators can access all vRealize Orchestrator Client features and content, including the content created by specific groups. Responsible for setting user roles, creating and deleting groups, and adding users to groups. Administrators are not limited by group permissions. Tenant administrators from vRealize Automation environments used to authenticate vRealize Orchestrator have Administrator rights by default.
Viewer	Viewers have read-only access to all content in the vRealize Orchestrator Client, but cannot create, edit, run, or export content. Viewers can also see all groups and group content. Viewers are not limited by group permissions. The Viewer role overwrites the Workflow Designer role when set to the same user account.
	Group Permissions
	No assigned group	Run	Run and edit
Workflow Designer	View system content. View and run own runs. Create, run, edit, and delete own content.	View system content View and run own runs. Create, run, edit, and delete own content. Add own content to the group. Run group content, but cannot edit it.	View system content. View and run own runs. Create, run, edit, and delete own content. Add own content to the group. Run and edit group content. Not available for vRealize Orchestrator instances authenticated with vSphere.
User without an assigned role	View own runs. Respond to user interaction requests. These access rights are granted by default to users in vRealize Automation and vSphere without an assigned vRealize Orchestrator role and group.	View and run own runs. View and run group content.	View and run own runs. View and run group content. To be able to create, edit, and add content, users in this group must be assigned a Workflow Designer role. Not available for vRealize Orchestrator instances authenticated with vSphere.