Assigning Access Rights to Administrative Users

Once you have added administrative users with Commander roles, you can assign access rights to access to your cloud infrastructure. Access rights:

determine what parts of your cloud infrastructure each administrative user can access
allow administrative users to carry out a specific set of commands on specific managed systems or datacenters
control visibility of events, tasks and alerts

Access rights can't be assigned to a user who only has a Service Portal role.

Even when you have restricted your users' access to infrastructure elements that contain a number of sockets equal to or less than your licensed amount, Commander will see all of the sockets available for the entire managed system. If this amount is higher than the amount for which you purchased licensing, you will receive warnings about exceeding your license. These warnings appear whenever a Commander user logs into the system, but they are not shown to Service Portal users. If you have questions about your license and its enforcement, please contact info@embotics.com or your account manager directly.

In this topic:

Levels of access rights

The six levels of access rights that can be assigned to users with Commander roles are:

Administrator
Operator with approval
Operator
Operator without deploy/clone (non-provisioning operator)
Approver
Auditor

Allowed actions for each level of access rights

The following table shows all of the tasks that can be performed with each level of access rights. Remember that access rights restrict what you can see, search for and manage. For example, when performing a search, your access rights determine what search results will be returned. Some of these tasks also require a particular role.

All of these tasks require some level of access rights; tasks that don't require access rights don't appear in this table.

Allowed Actions for Each Level of Access Rights

Action	Administrator	Operator with Approval	Operator	Operator without Deploy/Clone	Approver	Auditor
Infrastructure & Monitoring
View all events, tasks and alerts	Yes	Yes	Yes	Yes	Yes	Yes
View cloud infrastructure elements (such as VMs and virtual services )	Yes	Yes	Yes	Yes	Yes	Yes
Cancel own tasks	Yes	Yes	Yes	Yes	Yes	Yes
Cancel the tasks of others	Yes	—	—	—	—	—
Create, edit and delete scheduled tasks	Yes	Yes	Yes	Yes	Yes	Yes
Rename infrastructure elements	Yes	—	—	—	—	—
View linkages between Kubernetes clusters and underlying infrastructure (Also requires some level of access rights on underlying managed system )	Yes	Yes	Yes	Yes	Yes	Yes
Modify linkages between Kubernetes and underlying infrastructure (Also requires some level of access rights on underlying managed system)	Yes	Yes	Yes	Yes	—	—
Reporting & Searching
Search, sort, filter, report on and export information Note: While any user with a Commander role can perform a search and run a built-in report, access rights control what data is returned.	Yes	Yes	Yes	Yes	Yes	Yes
View and filter Solutions pages Note: While any user with a Commander role can perform a search and run a built-in report, access rights control the data that's returned.	Yes	Yes	Yes	Yes	Yes	Yes
VM Connections
Open a connection to a VM	Yes	Yes	Yes	Yes	—	—
Configure managed system console credentials	Yes	—	—	—	—	—
Manage key pairs	Yes	Yes	Yes	Yes	—	—
View VM console with a screenshot	Yes	Yes	Yes	Yes	—	—
VM Management
View VM lineage	Yes	Yes	Yes	Yes	Yes	Yes
Compare VMs	Yes	Yes	Yes	Yes	—	—
Set guest OS scan group	Yes	Yes	Yes	Yes	—	—
Start, stop, reset/reboot or suspend services; edit the start order of virtual services	Yes	Yes	Yes	Yes	—	—
Manage VM snapshots	Yes	Yes	Yes	Yes	—	—
Add, edit and delete folders in media library	Yes	Yes	Yes	Yes	—	—
Upload and delete files in media library	Yes	Yes	Yes		—	—
Manage connected media	Yes	Yes	Yes	—	—	—
View guest operating system details	Yes	Yes	Yes	Yes	—	—
Quarantine a VM and remove from quarantine	Yes	Yes	—	—	—	—
Configure guest operating system scanning and scan guest operating systems	Yes	Yes	Yes	Yes	—	—
Scan datastore files	Yes	Yes	Yes	Yes	—	—
Remove VMs and vApps from inventory, manage other files on disk, delete unlinked or orphaned files from disk	Yes	Yes	Yes	Yes	—	—
Delete services from disk, including VMs, virtual services, load balancers, databases auto scaling groups and application stacks	Yes	Yes	Yes	Yes	—	—
Service Metadata
Set compliance data for services	Yes	Yes	Yes	Yes	—	—
Set approval state for services	Yes	Yes	—	—	Yes	—
Apply custom attributes	Yes	Yes	Yes	Yes	—	—
Set service ownership	Yes	Yes	Yes	Yes		—
Set End of Life and Suspect states on VMs	Yes	Yes	Yes	Yes	—	—
Set expiry group and expiry date	Yes	Yes	Yes	Yes	—	—
Set maintenance group	Yes	Yes	Yes	Yes	—	—
Managed Systems, Hosts, Datastores and Networks
Set storage tiers for datastores and datastore clusters	Yes	—	—	—	—	—
Scan datastores	Yes	Yes	Yes	Yes	—	—
Configure host credentials	Yes	—	—	—	—	—
Reconnect managed system	Yes	Yes	Yes	Yes	—	—
Remove managed system	Yes	—	—	—	—	—
Synchronize inventory	Yes	Yes	Yes	Yes	—	—
Retrieve historical events	Yes	—	—	—	—	—
Select EC2 regions for display	Yes	—		—		—
Assign zones to networks	Yes	—	—	—	—	—
Policy
View policies	Yes	Yes	Yes	Yes	Yes	Yes
Subscribe to policy alerts	Yes	Yes	Yes	Yes	Yes	Yes
Create, edit and delete policies	Yes	—	—	—	—	—
Set power schedule for existing VMs	Yes	Yes	Yes	Yes	—	—
Set power schedule for new VMs	Yes	—	—	—	—	—
Create, edit and delete Guest OS Scan task	Yes	—	—	—	—	—
Workflows
Run command workflow	Yes	—	—	—	—	—
Schedule command workflow	Yes	—	—	—	—	—
Track workflow status	Yes	Yes	Yes	Yes	Yes	Yes
Provisioning
Clone and deploy VMs and virtual services	Yes	Yes	Yes	—	—	—
Convert VMs to templates	Yes	Yes	Yes	—	—	—
Migrate VMs	Yes	Yes	Yes		—	—
Service Request Management
Make, track and comment on service requests	Yes	Yes	Yes	Yes	Yes	Yes
View requests awaiting your approval	Yes	—	—	—	—	—
Approve and reject requests	Yes	Yes	Yes		—	—
Deploy requested service or component	Yes	Yes	Yes	—	—	—
Fulfill change request	Yes	Yes	Yes	—	—	—
Link VM to service request	Yes	Yes	Yes	—	—	—
Assign service requests	Yes	Yes	Yes	—	—	—
Manually release VM or virtual service after deployment	Yes	Yes	Yes	—	—	—
Share VM	Yes	Yes	Yes	—		—
Capacity
View host and cluster capacity	Yes	—	—	—	—	—
Include VMs in and exclude VMs from capacity calculations	Yes	Yes	Yes	—	—	—
Update capacity information	Yes	—	—	—	—	—
Override default VM workload	Yes	Yes	Yes	—	—	—
Override default reserved capacity	Yes	Yes	Yes	—	—	—
Performance
View VM performance	Yes	Yes	Yes	Yes	Yes	Yes
Update VM performance	Yes	Yes	Yes	Yes	—	—
Set rightsizing group for VMs	Yes	Yes	Yes	Yes	—	—
View / search for rightsizing recommendations	Yes	Yes	Yes	Yes	Yes	Yes
Apply, ignore and exclude rightsizing recommendations	Yes	Yes	Yes	—	—	—
Manually reconfigure VM resources	Yes	Yes	Yes	—	—	—

Assigning access rights to administrative users

You can assign access rights for more than one element to the same user account. For example, if three managed systems exist, a user may be assigned Administrator rights on one datacenter, Auditor rights on a separate managed system, and Approver rights on another datacenter. Note that you can assign access rights below the managed system level only for vCenter managed systems.

A user with a Reporter Role may only be assigned an access level of Auditor.

A higher level of access rights always takes precedence over a lower level. For example, if you assigned a user Administrator access rights on a managed system and then assigned the same user Auditor access rights on a datacenter within that managed system, that user has the Administrator access rights on all datacenters.

Conversely, if you assigned a user Auditor access rights on a managed system and then assigned the same user Administrator access rights on one datacenter within that managed system, then the user has Administrator access rights on the specified datacenter and Auditor access rights on the managed system and all other datacenters in that managed system.

The following example shows a user who has a Commander role of Enterprise Admin, and has these access rights on the cloud infrastructure:

on the managed system "pv test", Auditor
on the managed system "Embotics Public Cloud", Administrator
on the managed system "pvscvmm2", Approver

Access through:

Configuration > Identity and Access

Available to:

Commander Role of Superuser

Administrator Access Rights

To assign access rights to an administrative user:

Click the Users tab.
On the Users page, select an administrative user from the list of users.
An administrative user has a Commander role, not a Service Portal role.
Expand the tree as necessary and select a level of the tree (from the managed system level to the datacenter level).
Do one of the following:

To assign access rights, click Assign Rights.
To remove access rights, click Remove Rights.
To change access rights, click Change Rights.

Scroll