This page describes how to configure user access to features, actions, and resources.
For information about how to control user access to the platform, such as, how to block users or reset passwords, see Manage user access to the platform
Define which actions a group of users can perform on the platform
Each user has a role with a group of privileges that allow access to different cloud features. To change user access to features, modify the user role and add or remove privileges.
Define which cloud locations users can deploy in
You can allow each tenant to access a set of cloud locations (including providers, public cloud regions, and datacenters). All the users of a tenant can deploy in the allowed locations.
See Configure an enterprise in a cloud location
Define which resources an administrator can manage
Each user has a scope that includes a list of enterprises and locations.
Administrators with the appropriate privileges can manage the enterprises listed in their scope.
Tenant administrator privileges may include:
Allow user to switch enterprises
List enterprises within scope
Manage enterprises
Manage users of all enterprises
Administrators with the appropriate privileges can manage the cloud locations listed in their scope, assuming that their tenant also has access to these locations.
See Create a scope
Restrict a user to a set of virtual datacenters
If the user does not have the No VDC restriction privilege, the user can have a VDC access list. This means that the user will only be able to access the VDCs on the list.
See Create a user
Create a read-only user
To create a read-only user, assign the ENTERPRISE_VIEWER role to the user.
See Create a user
Restrict user activity in a specific virtual datacenter
To allow users to perform a limited set of actions in a specific virtual datacenter, assign a role to the virtual datacenter. Users will only be able to perform the actions of the virtual datacenter role. Of course, you can create exceptions for selected users. And users will not be able to gain access to new features from the virtual datacenter role. For example, you can create a virtual datacenter where the users have read-only access.
See Control access with VDC roles
Allow users to outsource their VMs
Administrators can create restricted virtual appliances, which means that users cannot access the VMs without the appropriate privileges. However, the VMs are still running in the user's tenant, which enables you to bill the tenant for the virtual resources.
See Move a VM to a restricted virtual appliance
Require users to get approval for all VM launch, deploy, and reconfigure actions
You can create a workflow connector to use the Workflow feature to hold deploy actions (deploy, undeploy, reconfigure) until an external system approves the changes.