VMware Cloud Director Permissions
The list below includes the permissions related to VMware Cloud Director resources.
- Users with the Administrator role in OnApp have VMware Cloud Director related permissions enabled by default. They can create and manage VMware Cloud Director resources if there is a VMware Cloud Director compute resource in the cloud.
- The VMware Cloud Director permissions list is not updated in OnApp for custom roles imported from VCD.
To set the permissions:
- Go to your Control Panel > Admin > Roles menu.
- On the following page, click the Actions button next to the role you want to edit, then select Edit.
- Change the role's permissions for users as required and click Save.
List of Permissions
Catalogs
OnApp administrators can control users' ability to manage VMware Cloud Director catalogs. You can set the following catalogs permissions for user roles:
- Any action on Catalogs - the user can take any action on catalogs
- Create a new Catalog - the user can create new catalogs
- Delete any Catalog - the user can delete any catalog
- Delete own Catalogs - the user can only delete own catalogs
- Read any Catalog - the user can see the the list of all catalogs
- Read own Catalogs - the user can only see own catalogs
- Read public Catalogs - the user can view shared catalogs form other user groups
- Update any Catalog - the user can edit any catalog
For details, refer to the Catalogs section.
Buckets
OnApp administrators can control users' ability to manage the buckets. You can set the following bucket permissions for user roles:
- Any action on buckets - the user can take any action on any bucket
- Create a new bucket - the user can create a new bucket
- Delete any bucket - the user can delete any bucket
- See list of all buckets - the user can see list of all buckets
- See details of any bucket - the user can see details of any bucket
- See own bucket - the user can only see own bucket
- Update any bucket - the user can edit any bucket
- Show empty values - the user can see empty values in the access control and rate card of any bucket
For details, refer to the VMware Cloud Director Buckets section.
Dashboard
OnApp administrators can control users' access to the dashboard. You can set the following VMware Cloud Director dashboard permissions for user roles:
- Show vCloud dashboard - the user can see VMware Cloud Director details on the dashboard
NSX-V Edge Gateways
OnApp administrators can control users' ability to manage NSX-V edge gateways. You can set the following edge gateway permissions for user roles:
- Any action on NSX-V Edge Gateways - the user can take any action on NSX-V edge gateways
- Manage Advanced NSX-V Edge Gateway Services - the user can manage advanced NSX-V edge gateway services
- Create new NSX-V Edge Gateways - the user can create new NSX-V edge gateways
- Delete any NSX-V Edge Gateways - the user can delete any NSX-V edge gateways
- Delete own NSX-V Edge Gateways - the user can delete only own NSX-V edge gateways
- Manage Services in vCD UI - the user has access to the edge gateways services in VCD UI
- Read any NSX-V Edge Gateways - the user can see the list of all NSX-V edge gateways under the NSX-V tab at Control Panel > Edge Gateways
- Read own NSX-V Edge Gateways - the user can only see their own NSX-V edge gateways under the NSX-V tab at Control Panel > Edge Gateways
- Update any NSX-V Edge Gateways - the user can update any NSX-V edge gateways
- Update own NSX-V Edge Gateways - the user can update only their own NSX-V edge gateways
For details, refer to the NSX-V Edge Gateways section.
NSX-T Edge Gateways
OnApp administrators can control users' ability to manage their own NSX-T edge gateways. You can set the following edge gateway permissions for user roles:
- Any action on NSX-T Edge Gateways - the user can take any action on NSX-T edge gateways
- Create NSX-T Edge Gateways - the user can create NSX-T edge gateway
- Delete NSX-T Edge Gateways - the user can delete NSX-T edge gateway
- See NSX-T Edge Gateways - the user has access to the NSX-T tab at Control Panel > Edge Gateways
- Update NSX-T Edge Gateways - the user can update NSX-T edge gateways
For details, refer to the Create and Manage NSX-T Edge Gateways section.
Nat Rules
OnApp administrators can control users' ability to manage VMware Cloud Director nat rules. You can set the following VMware Cloud Director nat rules permissions for user roles:
- Any action on nat rules - the user can take any action on nat rules
- Create nat rules - the user can create a nat rule in any edge gateway
- Delete any nat rule - the user can delete any nat rule
- Delete own nat rules - the user can delete only own nat rules
- See any nat rule - the user can see all nat rules
- See own nat rules - the user can see only own nat rules
- Edit any nat rule - the user can edit all nat rules
- Edit own nat rules - the user can edit only own nat rules
For details, refer to the Nat Rules section.
NSX-V Firewall Rules
OnApp administrators can control users' ability to manage NSX-V firewall rules. You can set the following firewall rules permissions for user roles:
- Any action on firewall rule - the user can take any action on NSX-V firewall rules
- Create any firewall rule - the user can create a new NSX-V firewall rule
- Delete any firewall rule - the user can delete any NSX-V firewall rule
- See any firewall rules - the user can see any NSX-V firewall rules
- Update any firewall rule - the user can edit any NSX-V firewall rule
NSX-V Firewall Services
OnApp administrators can control users' ability to manage NSX-V firewall services. You can set the following firewall services permissions for user roles:
- Any action on firewall service - the user can take any action on NSX-V firewall services
- See any firewall service - the user can see any NSX-V firewall service
- Update any firewall service - the user can edit any NSX-V firewall service
NSX-T Firewall Rules
OnApp administrators can control users' ability to manage firewall rules assigned to NSX-T edge gateway. You can set the following firewall rules permissions for user roles:
- Any actions on NSX-T Firewall Rules - the user can take any actions on NSX-T firewall rules
- See any NSX-T Firewall Rule - the user can see any NSX-T firewall rule
- Manage any NSX-T Firewall Rule - the user can manage (create/update/delete) any NSX-T firewall rule
NSX-V IPSec Services
OnApp administrators can control users' ability to manage NSX-V IPSec services. You can set the following IPSec services permissions for user roles:
- Any action on IPSec service - the user can take any action on NSX-V IPSec services
- See any IPSec service - the user can see any NSX-V IPSec service
- Update any IPSec service - the user can edit any NSX-V IPSec service
NSX-V IPSec Sites
OnApp administrators can control users' ability to manage NSX-V IPSec sites. You can set the following IPSec sites permissions for user roles:
- Any action on IPSec site - the user can take any action on NSX-V IPSec sites
- Create IPSec sites - the user can create an NSX-V IPSec site
- Delete any IPSec site - the user can delete any NSX-V L2 VPN IPSec site
- See any IPSec site - the user can see any NSX-V IPSec sites
- Update any IPSec site - the user can edit any NSX-V IPSec site
NSX-T IPSec VPNs
OnApp administrators can control users' ability to manage NSX-T IPSec VPNs. You can set the following IPSec VPN permissions for user roles:
- Any action on NSX-T IPSec VPN - the user can take any action on NSX-T IPSec VPN
- Manage any NSX-T IPSec VPN - the user can manage any NSX-T IPSec VPN
- See any NSX-T IPSec VPN - the user can see any NSX-T IPSec VPN
For details, refer to the NSX-T IPSec VPN page.
NSX-V L2 VPN Peer Sites
OnApp administrators can control users' ability to manage NSX-V L2 VPN peer sites. You can set the following L2 VPN peer sites permissions for user roles:
- Any action on L2 VPN peer site - the user can take any action on NSX-V L2 VPN peer sites
- Create L2 VPN peer sites - the user can create an NSX-V L2 VPN peer site
- Delete any L2 VPN peer site - the user can delete any NSX-V L2 VPN peer site
- See any L2 VPN peer site - the user can see any NSX-V L2 VPN sites
- Update any L2 VPN peer site - the user can edit any NSX-V L2 VPN sites
NSX-V L2 VPN Services
OnApp administrators can control users' ability to manage NSX-V L2 VPN services. You can set the following L2 VPN services permissions for user roles:
- Any action on L2 VPN service - the user can take any action on NSC L2 VPN services
- See any L2 VPN service - the user can see any NSX-V L2 VPN service
- Update any L2 VPN service - the user can edit any NSX-V load balancer L2 VPN services
NSX-V Load Balancer Application Profiles
OnApp administrators can control users' ability to manage NSX-V load balancer application profiles. You can set the following load balancer application profiles permissions for user roles:
- Any action on application profile - the user can take any action on NSX-V load balancer application profiles
- Create any application profile - the user can create a new NSX-V load balancer application profile
- Delete any application profile - the user can delete any NSX-V load balancer application profile
- See any application profile - the user can see any NSX-V load balancer application profile
- Update any application profile - the user can edit any NSX-V load balancer application profile
NSX-V Load Balancer Application Rules
OnApp administrators can control users' ability to manage NSX-V load balancer application rules. You can set the following load balancer application rules permissions for user roles:
Any action on application rules - the user can take any action on NSX load balancer application rules
- Create any application rule - the user can create a new NSX-V load balancer application rule
- Delete any application rule - the user can delete any NSX-V load balancer application rule
- See any application rule - the user can see any NSX-V load balancer application rules
- Update any application rule - the user can edit any NSX-V load balancer application rules
NSX-V Load Balancer Monitors
OnApp administrators can control users' ability to manage NSX-V load balancer monitors. You can set the following load balancer monitors permissions for user roles:
- Any action on monitors - the user can take any action on NSX-V load balancer monitors
- Create any monitor - the user can create a new NSX-V load balancer monitor
- Delete any monitor - the user can delete any NSX-V load balancer monitor
- See any monitor - the user can see any NSX-V load balancer monitors
- Update any monitor - the user can edit any NSX-V load balancer monitors
NSX-V Load Balancer Pools
OnApp administrators can control users' ability to manage NSX-V load balancer pools. You can set the following load balancer pools permissions for user roles:
- Any action on pool - the user can take any action on NSX-V load balancer pools
- Create any pool - the user can create a new NSX-V load balancer pool
- Delete any pool - the user can delete any NSX-V load balancer pool
- See any pool - the user can see any NSX-V load balancer pools
- Update any pool - the user can edit any NSX-V load balancer pools
NSX-V Load Balancer Services
OnApp administrators can control users' ability to manage NSX-V load balancer services. You can set the following load balancer services permissions for user roles:
- Any action on load balancer service - the user can take any action on NSX-V load balancer services
- See any load balancer service - the user can see any NSX-V load balancer service
- Update any load balancer service - the user can edit any NSX-V load balancer service
NSX-V Load Balancer Virtual Servers
OnApp administrators can control users' ability to manage NSX-V Edge internal or uplink interfaces as virtual servers. You can set the following permissions for user roles:
Any action on virtual server - the user can take any action on NSX-V load balancer virtual servers
Create any virtual server - the user can create a new NSX-V load balancer virtual server
Delete any virtual server - the user can delete any NSX-V load balancer virtual servers
See any virtual server - the user can see any NSX-V load balancer virtual servers
Update any virtual server - the user can edit any NSX-V load balancer virtual servers
NSX-V Managers
OnApp administrators can control users' ability to manage NSX-V managers. You can set the following NSX-V managers permissions for user roles:
- Any action on NSX manager - the user can take any action on NSX-V manager
- See any NSX manager - the user can see any NSX-V manager
- Update any NSX manager - the user can edit any NSX-V manager
NSX-V NAT Rules
OnApp administrators can control users' ability to manage NSX-V NAT rules. You can set the following NAT rules permissions for user roles:
- Any action on nat rule - the user can take any action on NSX-V NAT rules
- Create any nat rule - the user can create a new NSX-V NAT rule
- Delete any nat rule - the user can delete any NSX-V NAT rule
- See any nat rule - the user can see any NSX-V NAT rules
- Update any nat rule - the user can edit any NSX-V NAT rules
NSX-T NAT Rules
OnApp administrators can control users' ability to manage NAT rules assigned to an NSX-T edge gateway. You can set the following NSX-T NAT rules permissions for the user role:
- Any actions on NSX-T NAT Rules - the user can take any actions on NSX-T NAT rules
- Manage any NSX-T NAT Rule - the user can manage (create/update/delete) any NSX-T NAT rule
- See any NSX-T NAT Rule - the user can see any NSX-T NAT rule
For details, refer to the NSX-T NAT Rules page.
NSX-V NAT Services
OnApp administrators can control users' ability to manage NSX-V NAT services. You can set the following NAT services permissions for user roles:
- Any action on nat service - the user can take any action on NSX-V NAT services
- See any nat service - the user can see any NSX-V NAT services
- Update any nat service - the user can edit any NSX-V NAT services
Orchestration Models
OnApp administrators can control users' ability to manage orchestration models. You can set the following orchestration models permissions for user roles:
- Create new Orchestration Model - the user can create a new orchestration model
- Delete any Orchestration Model - the user can delete any orchestration model
- Deploy any Orchestration Model - the user can deploy any orchestration model
- Read any Media - the user can see any orchestration model
For details, refer to the Orchestration Models section.
Org Networks
OnApp administrators control how users can manage org networks. You can set the following org network permissions for user roles:
- Any action on org networks - the user can take any action on org networks
- Create a new org network - the user can create a new org network of any type
- Create a new bridged org network - the user can create a new direct org network
- Create a new isolated org network - the user can create a new isolated org network
- Create a new routed org network - the user can create a new routed org network
- Destroy any org network - the user can delete any org network
- See all org networks - the user can see all org networks
- Update any org network - the user can edit any org network
For details, refer to the Organization Networks section.
Payments
OnApp administrators control how users can manage company payments. You can set the following company payments permissions for user roles:
- See own company/group payments - the user can only see their own company payments
For details, refer to the Payments section.
Provider Resource Pools
OnApp administrators control whether users can view VMware Cloud Director provider resource pools. You can set the following provider resource pool permissions for user roles:
- Any action on Provider Resource Pools - the user can take any action on provider resource pools
- Read any Provider Resource Pool - the user can view any provider resource pool
For details, refer to the Provider Resource Pools section.
Resource Pool
OnApp administrators control how users can manage VMware Cloud Director resource pools. You can set the following resource pool permissions for user roles:
- Any action on Resource Pools - the user can take any action on resource pools
- Create a new Resource Pool - the user can create a new Resource Pool
- Delete any Resource Pools - the user can delete any resource pool
- Read any Resource Pool - the user can see the list of all resource pools
- Update any Resource Pool - the user can edit any Resource Pool
For details, refer to the Resource Pool section.
Resource Pool Statistics
OnApp administrators control how users can manage VMware Cloud Director resource pool statistics. You can set the following resource pool statistics permissions for user roles:
- Any action on resource pool statistics - the user can take any action on any resource pool statistics
- See all resource pools statistics - the user can see statistics for all resource pools
- See own resource pools statistics - the user can see statistics for own resource pools only
For details, refer to the Resource Pool Statistics section.
Tunnels
OnApp administrators control how users can manage VPN tunnels. You can set the following tunnels permissions for user roles:
- Any action on tunnels - the user can take any action on tunnels
- Create tunnels for anyone - the user can create tunnels for anyone
- Create own tunnels - the user can only create own tunnels
- Destroy any tunnels - the user can delete any tunnels
- Destroy own tunnels - the user can only delete own tunnels
- Read all tunnels - the user can see all tunnels
- Read own tunnels - the user can only see own tunnels
- Update all tunnels - the user can edit all tunnels
- Update own tunnels - the user can only edit own tunnels
vApps
OnApp administrators can control users' ability to manage vApps. You can set the following vApps permissions for user roles:
- Any action on vApps – the user can take any action on vApps
- Assign recipes to VS – the user can assign provisioning recipes to Virtual Server on vApp deployment
- Change vApp owner - the user can change the owner of a vApp
- Compose vApp - the user can compose a vApp from vApp Templates
Convert vApp – the user can convert vApp into vApp Template - Create a new vApp – the user can create a new vApp
- Customize VS guest OS - the user can customize Virtual Server guest OS on vApp deployment
- Delete any vApp – the user can destroy any vApp
- Delete own vApps – the user can only destroy their own vApps
- Any power action on vApps – the user can take any power actions on vApps
- Any power action on own vApps – the user can only take power actions on their own vApps
- Read any vApps – the user can view any vApps
- Read own vApps – the user can only view their own vApps
- Edit any vApp – the user can edit any vApp
- Edit own vApps – the user can only edit their own vApps
For details, refer to the vApps section.
vApp Networks
OnApp administrators control how users can manage vApp networks. You can set the following vApp network permissions for user roles:
- Any action on vApp networks - the user can take any action on vApp networks
- Create a new vApp network - the user can create a new vApp network
- Destroy any vApp network - the user can delete any vApp network
- See all vApp networks - the user can see all vApp networks
- Update any vApp network - the user can edit any vApp network
For details, refer to the vApps Networks section.
vApp Templates
OnApp administrators can control users' ability to manage vApp templates. You can set the following vApp template permissions for user roles:
- Any action on vApp templates – the user can take any action on vApp templates
- Create any vApp templates – the user can create any vApp template
- Delete any vApp templates – the user can destroy any vApp template
- See any vApp templates - the user can see any vApp templates
- See own vApp templates - the user see only own vApp templates
- See vApp templates from shared catalogs - the user can see vApp templates from shared catalogs
- Manage System Service Add-on - the user can manage system service add-ons of the vApp templates
For details, refer to the vApps Templates section.
vCloud Permissions
OnApp administrators can control users' ability to manage vCloud permissions. You can set the following VMware Cloud Director permissions for user roles:
- Administrator Control - the user can manage general administrative stuff (for example, edit all fields in own user profile). Without this permission the user has no ability to edit own first name, last name and email fields in user profile.
For details, refer to the vCloud Permissions section.
Virtual Servers
OnApp administrators can control users' ability to manage vCloud virtual servers. You can set the following vCloud virtual servers permissions for user roles:
- Install VMWare tools - the user can install VMware tools (applicable for VMware Cloud Director VSs)
Access To VCD UI - the user can access VMware Cloud Director UI
Allow insert/eject media for all virtual server - the user can insert/eject media for all virtual servers
- Allow insert/eject media for own virtual server - the user can insert/eject media for their own virtual servers
For details, refer to the vCloud Virtual Servers section.
Virtual Server Snapshots
OnApp administrators can control user's access to VMware virtual server snapshots. You can set the following snapshot permissions:
- Any action on Virtual Server Snapshots - the user can take any action on snapshots
- Create or Restore own Virtual Server Snapshot - the user can create/restore own snapshots
- Destroy own Virtual Server Snapshot - the user can delete own snapshots
- See own Virtual Server Snapshots - the use can see the list of own snapshots
For details, refer to VMware Cloud Director VS Snapshots section.