Private cloud vSphere permission model
Google Cloud VMware Engine retains full administrative access to your private cloud environment. You are granted sufficient administrator privileges to deploy and manage the virtual machines (VMs) in your environment. If needed, you can temporarily elevate your privileges to perform advanced administrative functions.
CloudOwner user
When you create a private cloud, a default user, CloudOwner@gve.local is
created in the vCenter Single Sign-On domain and given Cloud-Owner-Role
access to manage objects in the private cloud. The CloudOwner user can also
set up additional vCenter Identity Sources and other
users in the private cloud vCenter.
vCenter roles
Roles in vCenter define a set of privileges that let a user perform certain operations. When you create a private cloud, VMware Engine creates a set of roles in vCenter and assigns those roles to user groups.
Roles that have a name containing "Global" apply at the level of the
vCenter object. All other roles apply at the level of Datacenter object
on vCenter.
vCenter user groups
Deploying a private cloud creates a group called Cloud-Owner-Group. Users in
this group can administer various aspects of the vSphere environment in the
private cloud. The Cloud-Owner-Group group is automatically given
Cloud-Owner-Role privileges, and the CloudOwner user is added as a member
of this group.
VMware Engine creates additional groups with limited privileges for ease of management. You can add any user to these pre-created groups, and this process assigns the corresponding privileges to the user.
For information about granting individual user permissions or creating new user groups, see Managing vSphere permissions.
Pre-created vCenter user groups
| Group name | Purpose | Role | Scope |
|---|---|---|---|
| Cloud-Owner-Group | Administrative privileges for the private cloud vCenter | Cloud-Owner-Global-Role | vCenter object |
| Cloud-Owner-Role | Datacenter object |
||
| Cloud-Global-Cluster-Admin-Group | Administrative privileges for clusters in the private cloud vCenter | Cloud-Storage-Admin-Global-Role | vCenter object |
| Cloud-Cluster-Admin-Role | Datacenter object |
||
| Cloud-Global-Storage-Admin-Group | Management privileges for VMs in the private cloud vCenter | Cloud-Storage-Admin-Role | Datacenter object |
| Cloud-Global-Network-Admin-Group | Management privileges for networks and distributed port groups in the private cloud vCenter | Cloud-Network-Admin-Role | Datacenter object |
| Cloud-Global-VM-Admin-Group | Management privileges for VMs in the private cloud vCenter | Cloud-VM-Admin-Global-Role | vCenter object |
| Cloud-VM-Admin-Role | Datacenter object |
List of vCenter privileges for default roles
The following sections list vCenter privileges for each role in the groups created by VMware Engine.
Cloud-Owner-Global-Role
| Category | Privilege |
|---|---|
| Alarms |
Acknowledge alarm |
| Content Library |
Add library item Create local library Create subscribed library Delete library item Delete local library Delete subscribed library Download files Evict library item Evict subscribed library Import storage Probe subscription information Read storage Sync library item Sync subscribed library Type introspection Update configuration settings Update files Update library Update library item Update local library Update subscribed library View configuration settings |
| Cryptographic operations |
Manage KMS Manage encryption policies |
| Datastore |
Allocate space Browse datastore Configure datastore Low-level file operations Move datastore Remove datastore Remove file Rename datastore Update VM files Update VM metadata |
| Global |
Cancel task Diagnostics Global tag Manage custom attributes Set custom attribute |
| Host > vSphere Replication |
Manage replication |
| vSphere tagging |
Assign or unassign vSphere tag Assign or unassign vSphere tag on Object Create vSphere tag Create vSphere tag category Edit vSphere tag Edit vSphere tag category |
| Resource |
Assign VM to resource pool |
| Profile-driven storage |
Profile-driven storage update Profile-driven storage view |
| Virtual machine > Provisioning |
Customize guest Modify customization specification Read customization specifications |
Cloud-Storage-Admin-Global-Role
| Category | Privilege |
|---|---|
| Content Library |
Add library item Delete library item Update library item |
| vSphere tagging |
Assign or unassign vSphere tag on Object |
| Profile-driven storage |
Profile-driven storage view |
| Virtual machine > Provisioning |
Customize guest Modify customization specification Read customization specifications |
Cloud-VM-Admin-Global-Role
| Category | Privilege |
|---|---|
| Content Library |
Add library item Delete library item Update library item |
| vSphere tagging |
Assign or unassign vSphere tag on Object |
| Profile-driven storage |
Profile-driven storage view |
| Virtual machine > Provisioning |
Customize guest Modify customization specification Read customization specifications |
Cloud-Owner-Role
| Category | Privilege |
|---|---|
| Alarms |
Acknowledge alarm Create alarm Disable alarm action Modify alarm Remove alarm Set alarm status |
| Permissions | Modify permission |
| Content library |
Add library item Create local library Create subscribed library Delete library item Delete local library Delete subscribed library Download files Evict library item Evict subscribed library Import storage Probe subscription information Read storage Sync library item Sync subscribed library Type introspection Update configuration settings Update files Update library Update library item Update local library Update subscribed library View configuration settings |
| Cryptographic operations |
Add disk Clone Decrypt Direct access Encrypt Encrypt new Manage KMS Manage encryption policies Manage keys Migrate Recrypt Register VM Register host |
| dvPort group |
Create Delete Modify Policy operation Scope operation |
| Datastore |
Allocate space Browse datastore Configure datastore Low-level file operations Move datastore Remove datastore Remove file Rename datastore Update VM files Update VM metadata |
| ESX Agent Manager |
Config Modify View |
| Extension |
Register extension Unregister extension Update extension |
| External stats provider |
Register Unregister Update |
| Folder |
Create folder Delete folder Move folder Rename folder |
| Global |
Cancel task Capacity planning Diagnostics Disable methods Enable methods Global tag Health Licenses Log event Manage custom attributes Proxy Script action Service managers Set custom attribute System tag |
| Health update provider |
Register Unregister Update |
| Host > Inventory |
Modify cluster |
| vSphere tagging |
Assign or unassign vSphere tag Create vSphere tag Create vSphere tag category Delete vSphere tag Delete vSphere tag category Edit vSphere tag Edit vSphere tag category Modify UsedBy field for category Modify UsedBy field for tag |
| Network |
Assign network Configure Move network Remove |
| Performance |
Modify intervals |
| Host profile |
View |
| Resource |
Apply recommendation Assign vApp to resource pool Assign VM to resource pool Create resource pool Migrate powered off virtual machine Migrate powered on virtual machine Modify resource pool Move resource pool Query vMotion Remove resource pool Rename resource pool |
| Scheduled task | Create tasks
Modify task Remove task Run task |
| Sessions |
Impersonate user Message Validate session View and stop sessions |
| Datastore cluster | Configure a datastore cluster |
| Profile-driven storage |
Profile-driven storage update Profile-driven storage view |
| Storage views |
Configure service View |
| Tasks |
Create task Update task |
| Transfer service | Manage
Monitor |
| vApp |
Add VM Assign resource pool Assign vApp Clone Create Delete Export Import Move Power off Power on Rename Suspend Unregister View OVF environment vApp application configuration vApp instance configuration vApp managedBy configuration vApp resource configuration |
| VRMPolicy |
Query VRMPolicy Update VRMPolicy |
| Virtual machine > Configuration |
Add existing disk Add new disk Add or remove device Advanced Change CPU count Change resource Configure managedBy Disk change tracking Disk lease Display connection settings Extend virtual disk Host USB device Memory Modify device settings Query fault tolerance compatibility Query unowned files Raw device Reload from path Remove disk Rename Reset guest information Set annotation Settings Swapfile placement Toggle fork parent Unlock VM Upgrade VM compatibility |
| Virtual machine > Guest operations |
Guest operation alias modification Guest operation alias query Guest operation modifications Guest operation program execution Guest operation queries |
| Virtual machine > Interaction |
Answer question Backup operation on VM Configure CD media Configure floppy media Console interaction Create screenshot Defragment all disks Device connection Drag and drop Guest operating system management by VIX API Inject USB HID scan codes Pause or Unpause Perform wipe or shrink operations Power off Power on Record session on VM Replay session on VM Reset Resume fault tolerance Suspend Suspend fault tolerance Test failover Test restart secondary VM Turn off fault tolerance Turn on fault tolerance VMware tools installation |
| Virtual machine > Inventory |
Create from existing Create new Move Register Remove Unregister |
| Virtual machine > Provisioning |
Allow disk access Allow file access Allow read-only disk access Allow VM download Allow VM files upload Clone template Clone VM Create template from VM Customize Deploy template Mark as template Mark as VM Modify customization specification Promote disks Read customization specifications |
| Virtual machine > Service configuration |
Allow notifications Allow polling of global event notifications Manage service configurations Modify service configuration Query service configurations Read service configuration |
| Virtual machine > Snapshot management |
Create snapshot Remove snapshot Rename snapshot Revert to snapshot |
| Virtual machine > vSphere replication |
Configure replication Manage replication Monitor replication |
| vService |
Create dependency Destroy dependency Reconfigure dependency configuration Update dependency |
Cloud-Cluster-Admin-Role
| Category | Privilege |
|---|---|
| Datastore |
Allocate space Browse datastore Configure datastore Low-level file operations Remove datastore Rename datastore Update VM files Update VM metadata |
| Folder |
Create folder Delete folder Move folder Rename folder |
| Host > Configuration | Storage partition configuration |
| vSphere tagging |
Assign or unassign vSphere tag Create vSphere tag Create vSphere tag category Delete vSphere tag Delete vSphere tag category Edit vSphere tag Edit vSphere tag category Modify UsedBy field for category Modify UsedBy field for tag |
| Network | Assign network |
| Resource |
Apply recommendation Assign vApp to resource pool Assign VM to resource pool Create resource pool Migrate powered off VM Migrate powered on VM Modify resource pool Move resource pool Query vMotion Remove resource pool Rename resource pool |
| vApp |
Add VM Assign resource pool Assign vApp Clone Create Delete Export Import Move Power off Power on Rename Suspend Unregister View OVF environment vApp application configuration vApp instance configuration vApp managedBy configuration vApp resource configuration |
| VRMPolicy |
Query VRMPolicy Update VRMPolicy |
| Virtual machine > Configuration |
Add existing disk Add new disk Add or remove device Advanced Change CPU count Change resource Configure managedBy Disk change tracking Disk lease Display connection settings Extend virtual disk Host USB device Memory Modify device settings Query fault tolerance compatibility Query unowned files Raw device Reload from path Remove disk Rename Reset guest information Set annotation Settings Swapfile placement Toggle fork parent Unlock VM Upgrade VM compatibility |
| Virtual machine > Guest operations |
Guest operation alias modification Guest operation alias query Guest operation modifications Guest operation program execution Guest operation queries |
| Virtual machine > Interaction |
Answer question Backup operation on VM Configure CD media Configure floppy media Console interaction Create screenshot Defragment all disks Device connection Drag and drop Guest operating system management by VIX API Inject USB HID scan codes Pause or unpause Perform wipe or shrink operations Power off Power on Record session on VM Replay session on VM Reset Resume fault tolerance Suspend Suspend fault tolerance Test failover Test restart secondary VM Turn off fault tolerance Turn on fault tolerance VMware tools install |
| Virtual machine > Inventory |
Create from existing Create new Move Register Remove Unregister |
| Virtual machine > Provisioning |
Allow disk access Allow file access Allow read-only disk access Allow VM download Allow VM files upload Clone template Clone VM Create template from VM Customize Deploy template Mark as template Mark as VM Modify customization specification Promote disks Read customization specifications |
| Virtual machine > Service configuration |
Allow notifications Allow polling of global event notifications Manage service configurations Modify service configuration Query service configurations Read service configuration |
| Virtual machine > Snapshot management |
Create snapshot Remove snapshot Rename snapshot Revert to snapshot |
| Virtual machine > vSphere Replication |
Configure replication Manage replication Monitor replication |
| vService |
Create dependency Destroy dependency Reconfigure dependency configuration Update dependency |
Cloud-Storage-Admin-Role
| Category | Privilege |
|---|---|
| Datastore |
Allocate space Browse datastore Configure datastore Low-level file operations Remove datastore Rename datastore Update VM files Update VM metadata |
| Host > Configuration |
Storage partition configuration |
| Datastore cluster |
Configure a datastore cluster |
| Profile-driven storage |
Profile-driven storage update Profile-driven storage view |
| Storage views |
Configure service View |
Cloud-Network-Admin-Role
| Category | Privilege |
|---|---|
| dvPort group |
Create Delete Modify Policy operation Scope operation |
| Network |
Assign network Configure Move network Remove |
| Virtual machine > Configuration |
Modify device settings |
Cloud-VM-Admin-Role
| Category | Privilege |
|---|---|
| Datastore |
Allocate space Browse datastore |
| Network |
Assign network |
| Resource |
Assign VM to resource pool Migrate powered off VM Migrate powered on VM |
| vApp |
Export Import |
| Virtual machine > Configuration |
Add existing disk Add new disk Add or remove device Advanced Change CPU count Change resource Configure managedBy Disk change tracking Disk lease Display connection settings Extend virtual disk Host USB device Memory Modify device settings Query fault tolerance compatibility Query unowned files Raw device Reload from path Remove disk Rename Reset guest information Set annotation Settings Swapfile placement Toggle fork parent Unlock VM Upgrade VM compatibility |
| Virtual machine > Guest operations |
Guest operation alias modification Guest operation alias query Guest operation modifications Guest operation program execution Guest operation queries |
| Virtual machine > Interaction |
Answer question Backup operation on VM Configure CD media Configure floppy media Console interaction Create screenshot Defragment all disks Device connection Drag and drop Guest operating system management by VIX API Inject USB HID scan codes Pause or unpause Perform wipe or shrink operations Power off Power on Record session on VM Replay session on VM Reset Resume fault tolerance Suspend Suspend fault tolerance Test failover Test restart secondary VM Turn off fault tolerance Turn on fault tolerance VMware tools install |
| Virtual machine > Inventory |
Create from existing Create new Move Register Remove Unregister |
| Virtual machine > Provisioning |
Allow disk access Allow file access Allow read-only disk access Allow VM download Allow VM files upload Clone template Clone VM Create template from VM Customize Deploy template Mark as template Mark as VM Modify customization specification Promote disks Read customization specifications |
| Virtual machine > Service configuration |
Allow notifications Allow polling of global event notifications Manage service configurations Modify service configuration Query service configurations Read service configuration |
| Virtual machine > Snapshot management |
Create snapshot Remove snapshot Rename snapshot Revert to snapshot |
| Virtual machine > vSphere replication |
Configure replication Manage replication Monitor replication |
| vService |
Create dependency Destroy dependency Reconfigure dependency configuration Update dependency |
What's next
- Learn how to elevate private cloud privileges.
- Learn how to set up vCenter identity sources.
- Learn more about VMware on your private cloud.