Roles and permissions for VMware Cloud Director

The following table provides information about the platform management roles and permissions for IBM Cloud® for VMware Cloud Foundation as a Service.

Minimum - roles with the bare minimum permissions in VMware Cloud Director™.
VMware Cloud Director - roles that are provided by VMware Cloud Director. For more information, see Rights in predefined global tenant roles.
Custom - roles that are custom-defined by IBM®.

Roles and actions for VCF as a Service
Platform management role	Actions	Level of permission
Reader	Read-only actions to view service-specific resources.	Minimum
Writer	Create and edit service-specific resources.	Minimum
Manager	Privileged actions as defined by the service in addition to create and edit service-specific resources.	Custom
Viewer	Read-only actions to view the summary and details of instances.	Minimum
Operator	Read-only actions. For example, list instances and view instance details.	Minimum
Editor	Update a specific instance. For example, add or remove VMware ESXi™ servers, clusters, and services; upgrade an instance to a higher version.	Minimum
Administrator	Full management access. For example, create new instances, delete instances, and grant platform access to other users.	Custom
VCFaaS Full Viewer	All view access to every component in VMware Cloud Director.	Custom
VCFaaS vApp Author	Use catalogs and create vApps in VMware Cloud Director.	VMware Cloud Director
VCFaaS vApp User	Use existing vApps in VMware Cloud Director.	VMware Cloud Director
VCFaaS Catalog Author	Create and publish catalogs in VMware Cloud Director.	VMware Cloud Director
VCFaaS Network Admin	Create, view, edit, delete the subnet, the static route, and troubleshoot routing in VMware Cloud Director.	Custom
VCFaaS Console User	View a virtual machine state, properties, and use the guest operating system in VMware Cloud Director.	VMware Cloud Director
VCFaaS Backup User	Manage Veeam® backup jobs in VMware Cloud Director.	Custom
VCFaaS Security Admin	View and edit the edge firewall and the distributed firewall in VMware Cloud Director.	Custom

Recently introduced rights

Additional rights are available with recent releases. If you use pre-configured Open ID Connect (OIDC) roles or any role other than the Organization Administrator role, you must manually add these rights to your roles.

To update the roles with the new rights, complete the following steps as an IBM Cloud IAM Administrator or as an Organization Administrator.

From the tenant portal, click the Menu icon at the upper left of the page and select Administration.
Under the Access Control section on the left pane, select Roles.
Select the role to change and click Edit. You must use the recommended OIDC roles from the following table, Table 2. Recommended OIDC roles, or use customized roles.
In the Edit Role window, select the new permissions and clear the permissions to remove. You can add the new tenant permissions to the roles as defined in Table 2. Recommended OIDC roles.
Click SAVE to apply the new or removed permissions. You might need to log out and log back into the tenant portal to see the changes.
Repeat for each role that requires the update.

For more information, see Edit a Custom Tenant Role Using Your VMware Cloud Director Tenant Portal.

The permissions that include an asterisk (*) are introduced in VMware Cloud Director 10.6 and are available to users after the Cloud Director site where the virtual data centers are deployed is upgraded to VMware Cloud Director 10.6.0.1. For more information, see IBM Cloud Maintenance notifications for scheduled upgrade dates.

The following table provides the recently introduced rights and the recommended OIDC roles to manually update.

Recommended OIDC roles
Permission	Manager	Administrator	Director Full Viewer	Director Network Admin	Director Security Admin
IP Spaces: Allocate
Organization vDC Gateway: Configure Firewall
Organization vDC Gateway: Configure NAT
Organization vDC Gateway: View
Organization vDC Network: Manage Manual IP Reservation*
Private IP Spaces: Manage
Private IP Spaces: View
Provider Gateway: Simple View
Provider Gateway BGP: Simple Manage
Provider Gateway BGP: Simple View
Provider Gateway Firewall: Manage
Provider Gateway Firewall: View
Provider Gateway IP Sec VPN: Manage*
Provider Gateway IP Sec VPN: View*
Provider Gateway NAT: Manage
Provider Gateway NAT: View
Provider Gateway Routing: Simple View*
Provider Network: View

Custom-defined roles and permissions

The following table provides information about roles that are custom-defined by IBM.

Custom-defined roles and permissions for VCF as a Service
Permission	Manager	Administrator	Director Full Viewer	Director Network Admin	Director Security Admin	Director Backup User
Access Control List: Manage
Access Control List: View
Access All Organization VDCs
Alternate Admin Entity: View
API Explorer: View
API Tokens: Manage
API Tokens: Manage All
Catalog: Add vApp from My Cloud
Catalog: Change Owner
Catalog: CLSP Publish Subscribe
Catalog: Create / Delete a Catalog
Catalog: Edit Properties
Catalog: Publish
Catalog: Shadow VM View
Catalog: Sharing
Catalog: VCSP Publish Subscribe
Catalog: VCSP Publish Subscribe Caching
Catalog: View ACL
Catalog: View Private and Shared Catalogs
Catalog: View Published Catalogs
Certificate Library: Manage
Certificate Library: View
Custom entity: View all custom entity instances in org
Custom entity: View custom entity instance
Extension Service API Definition: Manage
Extension Service API Definition: View
Extension Services: View
Extensions: View
External Service: Manage
External Service: View
General: Administrator Control
General: Administrator View
General: Send Notification
General: View Error Details
Group / User: Manage
Group / User: View
Hybrid Cloud Operations: Acquire control ticket
Hybrid Cloud Operations: Acquire from-the-cloud tunnel ticket
Hybrid Cloud Operations: Acquire to-the-cloud tunnel ticket
Hybrid Cloud Operations: Create from-the-cloud tunnel
Hybrid Cloud Operations: Create to-the-cloud tunnel
Hybrid Cloud Operations: Delete from-the-cloud tunnel
Hybrid Cloud Operations: Delete to-the-cloud tunnel
Hybrid Cloud Operations: Update from-the-cloud tunnel endpoint tag
IP Spaces: Allocate
Localization Resources: Manage
Metadata File Entry: Create/Modify
Network Pool: View
Object Extensions: Manage
Object Extensions: View
Organization Network: Create or Delete
Organization Network: Edit Properties
Organization Network: View
Organization vDC Compute Policy: View
Organization vDC Disk: View IOPS
Organization vDC Distributed Firewall: Configure Rules
Organization vDC Distributed Firewall: View Rules
Organization vDC Gateway: Configure BGP Routing
Organization vDC Gateway: Configure DHCP
Organization vDC Gateway: Configure DNS
Organization vDC Gateway: Configure ECMP Routing
Organization vDC Gateway: Configure Firewall
Organization vDC Gateway: Configure IPSec VPN
Organization vDC Gateway: Configure L2 VPN
Organization vDC Gateway: Configure Load Balancer
Organization vDC Gateway: Configure NAT
Organization vDC Gateway: Configure OSPF Routing
Organization vDC Gateway: Configure Remote Access
Organization vDC Gateway: Configure Route Advertisement
Organization vDC Gateway: Configure SLAAC Profile
Organization vDC Gateway: Configure SSL VPN
Organization vDC Gateway: Configure Static Routing
Organization vDC Gateway: Configure Syslog
Organization vDC Gateway: Convert to Advanced Networking
Organization vDC Gateway: Distributed Routing
Organization vDC Gateway: View
Organization vDC Gateway: View BGP Routing
Organization vDC Gateway: View DHCP
Organization vDC Gateway: View DNS
Organization vDC Gateway: View Firewall
Organization vDC Gateway: View IPSec VPN
Organization vDC Gateway: View L2 VPN
Organization vDC Gateway: View Load Balancer
Organization vDC Gateway: View NAT
Organization vDC Gateway: View OSPF Routing
Organization vDC Gateway: View Remote Access
Organization vDC Gateway: View Route Advertisement
Organization vDC Gateway: View SLAAC Profile
Organization vDC Gateway: View SSL VPN
Organization vDC Gateway: View Static Routing
Organization vDC Named Disk: Change Owner
Organization vDC Named Disk: Create
Organization vDC Named Disk: Delete
Organization vDC Named Disk: Edit Properties
Organization vDC Named Disk: Move
Organization vDC Named Disk: View Encryption Status
Organization vDC Named Disk: View Properties
Organization vDC Network: Edit Properties
Organization vDC Network: Manage Manual IP Reservation*
Organization vDC Network: View
Organization vDC Network: View Properties
Organization vDC Storage Policy: View Capabilities
Organization vDC Storage Profile: Set Default
Organization vDC: Edit
Organization vDC: Edit ACL
Organization vDC: Manage Firewall
Organization vDC: Simple Edit
Organization vDC: User View
Organization vDC: View
Organization vDC: View ACL
Organization vDC: View CPU and Memory Reservation
Organization VDC: view metrics
Organization vDC: VM-VM Affinity Edit
Organization vDC Shared Named Disk: Create
Organization: Edit Association Settings
Organization: Edit Federation Settings
Organization: Edit Leases Policy
Organization: Edit OAuth Settings
Organization: Edit Password Policy
Organization: Edit Properties
Organization: Edit Quotas Policy
Organization: Edit SMTP Settings
Organization: Import User/Group from IdP while Editing VDC ACL
Organization: Perform Administrator Queries
Organization: View
Organization: view metrics
Private IP Spaces: Manage
Private IP Spaces: View
Provider Gateway: Simple View
Provider Gateway BGP: Simple View
Provider Gateway Firewall: Manage
Provider Gateway Firewall: View
Provider Gateway IP Sec VPN: Manage*
Provider Gateway IP Sec VPN: View*
Provider Gateway NAT: Manage
Provider Gateway NAT: View
Provider Gateway Routing: Simple View*
Provider Network: View
Resource Pool: View
Quota Policy Capabilities: View
Resource Class Action: Manage
Resource Class Action: View
Role: Create, Edit, Delete, or Copy
Security Tag Edit
Selector Extensions: Manage
Selector Extensions: View
Service Authorization: Manage
Service Configuration: Manage
Service Configuration: View
Service Link: Manage
Service Link: View
Service Resource Type: Manage
Service Resource Type: View
Service Resource: Manage
Service Resource: View
Service Library: View service libraries
SSL: Test Connection
Truststore: Manage
Truststore: View
UI Plugins: Define Upload Modify Delete Associate or Disassociate
UI Plugins: View
UI Plugins: View
vApp Template / Media: Copy
vApp Template / Media: Create / Upload
vApp Template / Media: Edit
vApp Template / Media: View
vApp Template: Add to My Cloud
vApp Template: Change Owner
vApp Template: Checkout
vApp Template: Download
vApp: Allow All Extra Config
vApp: Allow Matching Extra Config
vApp: Change Owner
vApp: Copy
vApp: Create / Reconfigure
vApp: Delete
vApp: Download
vApp: Edit Properties
vApp: Edit VM Compute Policy
vApp: Edit VM CPU
vApp: Edit VM Hard Disk
vApp: Edit VM Memory
vApp: Edit VM Network
vApp: Edit VM Properties
vApp: Manage VM Password Settings
vApp: Power Operations
vApp: Shadow VM View
vApp: Sharing
vApp: Snapshot Operations
vApp: Upload
vApp: Use Console
vApp: View ACL
vApp: View VM and VM's Disks Encryption Status
vApp: View VM metrics
vApp: VM Boot Options
vApp: VM Metadata to vCenter
vApp: VM Migrate, Force Undeploy, Relocate, Consolidate
VAPP_VM_METADATA_TO_VCENTER
VCD Extension: Register, Unregister, Refresh, Associate or Disassociate
VCD Extension: View
VDC Group: Configure
VDC Group: Configure Logging
VDC Group: View
VDC Template: Instantiate
VDC Template: View
vGPU Profile Consumption: View

Roles and permissions for VMware Cloud Director

Recently introduced rights

Custom-defined roles and permissions

Related links