Assigning Access Rights to Administrative Users

Once you have added administrative users with Commander roles, you can assign access rights to access to your cloud infrastructure. Access rights:

  • determine what parts of your cloud infrastructure each administrative user can access
  • allow administrative users to carry out a specific set of commands on specific managed systems or datacenters
  • control visibility of events, tasks and alerts

Access rights can't be assigned to a user who only has a Service Portal role.

Even when you have restricted your users' access to infrastructure elements that contain a number of sockets equal to or less than your licensed amount, Commander will see all of the sockets available for the entire managed system. If this amount is higher than the amount for which you purchased licensing, you will receive warnings about exceeding your license. These warnings appear whenever a Commander user logs into the system, but they are not shown to Service Portal users. If you have questions about your license and its enforcement, please contact info@embotics.com or your account manager directly.

In this topic:

Levels of access rights

The six levels of access rights that can be assigned to users with Commander roles are:

  1. Administrator
  2. Operator with approval
  3. Operator
  4. Operator without deploy/clone (non-provisioning operator)
  5. Approver
  6. Auditor

Allowed actions for each level of access rights

The following table shows all of the tasks that can be performed with each level of access rights. Remember that access rights restrict what you can see, search for and manage. For example, when performing a search, your access rights determine what search results will be returned. Some of these tasks also require a particular role.

All of these tasks require some level of access rights; tasks that don't require access rights don't appear in this table.

Allowed Actions for Each Level of Access Rights

Action Administrator Operator with Approval Operator Operator without Deploy/Clone Approver Auditor

Infrastructure & Monitoring

View all events, tasks and alerts

Yes

Yes

Yes

Yes

Yes

Yes

View cloud infrastructure elements (such as VMs and virtual services )

Yes

Yes

Yes

Yes

Yes

Yes

Cancel own tasks

Yes

Yes

Yes

Yes

Yes

Yes

Cancel the tasks of others

Yes

Create, edit and delete scheduled tasks

Yes

Yes

Yes

Yes

Yes

Yes

Rename infrastructure elements

Yes

View linkages between Kubernetes clusters and underlying infrastructure

(Also requires some level of access rights on underlying managed system )

Yes

Yes

Yes

Yes

Yes

Yes

Modify linkages between Kubernetes and underlying infrastructure

(Also requires some level of access rights on underlying managed system)

Yes

Yes

Yes

Yes

Reporting & Searching

Search, sort, filter, report on and export information

Note: While any user with a Commander role can perform a search and run a built-in report, access rights control what data is returned.

Yes

Yes

Yes

Yes

Yes

Yes

View and filter Solutions pages

Note: While any user with a Commander role can perform a search and run a built-in report, access rights control the data that is returned.

Yes

Yes

Yes

Yes

Yes

Yes

VM Connections

Open a connection to a VM

Yes

Yes

Yes

Yes

Configure managed system console credentials

Yes

Manage key pairs

Yes

Yes

Yes

Yes

View VM console with a screenshot

Yes

Yes

Yes

Yes

VM Management

View VM lineage

Yes

Yes

Yes

Yes

Yes

Yes

Compare VMs

Yes

Yes

Yes

Yes

Set guest OS scan group

Yes

Yes

Yes

Yes

Start, stop, reset/reboot or suspend services; edit the start order of virtual services

Yes

Yes

Yes

Yes

Manage VM snapshots

Yes

Yes

Yes

Yes

Add, edit and delete folders in media library

Yes

Yes

Yes

Yes

Upload and delete files in media library

Yes

Yes

Yes

—

Manage connected media

Yes

Yes

Yes

View guest operating system details

Yes

Yes

Yes

Yes

Quarantine a VM and remove from quarantine

Yes

Yes

Configure guest operating system scanning and scan guest operating systems

Yes

Yes

Yes

Yes

Scan datastore files

Yes

Yes

Yes

Yes

Remove VMs and vApps from inventory, manage other files on disk, delete unlinked or orphaned files from disk

Yes

Yes

Yes

Yes

Delete services from disk, including VMs, virtual services, load balancers, databases auto scaling groups and application stacks

Yes

Yes

Yes

Yes

Service Metadata

Set compliance data for services

Yes

Yes

Yes

Yes

Set approval state for services

Yes

Yes

Yes

Apply custom attributes

Yes

Yes

Yes

Yes

Set service ownership

Yes

Yes

Yes

Yes

—

Set End of Life and Suspect states on VMs

Yes

Yes

Yes

Yes

Set expiry group and expiry date

Yes

Yes

Yes

Yes

Set maintenance group

Yes

Yes

Yes

Yes

Managed Systems, Hosts, Datastores and Networks

Set storage tiers for datastores and datastore clusters

Yes

Scan datastores

Yes

Yes

Yes

Yes

Configure host credentials

Yes

Reconnect managed system

Yes

Yes

Yes

Yes

Remove managed system

Yes

Synchronize inventory

Yes

Yes

Yes

Yes

Retrieve historical events

Yes

Select EC2 regions for display

Yes

—

—

Assign zones to networks

Yes

Policy

View policies

Yes

Yes

Yes

Yes

Yes

Yes

Subscribe to policy alerts

Yes

Yes

Yes

Yes

Yes

Yes

Create, edit and delete policies

Yes

Set power schedule for existing VMs

Yes

Yes

Yes

Yes

Set power schedule for new VMs

Yes

Create, edit and delete Guest OS Scan task

Yes

Workflows

Run command workflow

Yes

Schedule command workflow

Yes

Track workflow status

Yes

Yes

Yes

Yes

Yes

Yes

Provisioning

Clone and deploy VMs and virtual services

Yes

Yes

Yes

Convert VMs to templates

Yes

Yes

Yes

Migrate VMs

Yes

Yes

Yes

—

Service Request Management

Make, track and comment on service requests

Yes

Yes

Yes

Yes

Yes

Yes

View requests awaiting your approval

Yes

Approve and reject requests

Yes

Yes

Yes

—

Deploy requested service or component

Yes

Yes

Yes

Fulfill change request

Yes

Yes

Yes

Link VM to service request

Yes

Yes

Yes

Assign service requests

Yes

Yes

Yes

Manually release VM or virtual service after deployment

Yes

Yes

Yes

Share VM

Yes

Yes

Yes

—

Capacity

View host and cluster capacity

Yes

Include VMs in and exclude VMs from capacity calculations

Yes

Yes

Yes

Update capacity information

Yes

Override default VM workload

Yes

Yes

Yes

Override default reserved capacity

Yes

Yes

Yes

Performance

View VM performance

Yes

Yes

Yes

Yes

Yes

Yes

Update VM performance

Yes

Yes

Yes

Yes

Set rightsizing group for VMs

Yes

Yes

Yes

Yes

View / search for rightsizing recommendations

Yes

Yes

Yes

Yes

Yes

Yes

Apply, ignore and exclude rightsizing recommendations

Yes

Yes

Yes

Manually reconfigure VM resources

Yes

Yes

Yes

Assigning access rights to administrative users

You can assign access rights for more than one element to the same user account. For example, if three managed systems exist, a user may be assigned Administrator rights on one datacenter, Auditor rights on a separate managed system, and Approver rights on another datacenter. Note that you can assign access rights below the managed system level only for vCenter managed systems.

A user with a Reporter Role may only be assigned an access level of Auditor.

A higher level of access rights always takes precedence over a lower level. For example, if you assigned a user Administrator access rights on a managed system and then assigned the same user Auditor access rights on a datacenter within that managed system, that user has the Administrator access rights on all datacenters.

Conversely, if you assigned a user Auditor access rights on a managed system and then assigned the same user Administrator access rights on one datacenter within that managed system, then the user has Administrator access rights on the specified datacenter and Auditor access rights on the managed system and all other datacenters in that managed system.

The following example shows a user who has a Commander role of Enterprise Admin, and has these access rights on the cloud infrastructure:

  • on the managed system "pv test", Auditor
  • on the managed system "Embotics Public Cloud", Administrator
  • on the managed system "pvscvmm2", Approver
User Access Rights

Access through:

Configuration menu > Membership > Users tab

Available to:

Commander Role of Superuser

Administrator Access Rights

To assign access rights to an administrative user:

  1. On the Users page, select an administrative user from the list of users.

    An administrative user has a Commander role, not a Service Portal role.

  2. Expand the tree as necessary and select a level of the tree (from the managed system level to the datacenter level).
  3. Do one of the following:
    • To assign access rights, click Assign Rights.
    • To remove access rights, click Remove Rights.
    • To change access rights, click Change Rights.