Assigning Access Rights to Administrative Users
Once you have added administrative users with Commander roles, you can assign access rights to access to your cloud infrastructure. Access rights:
- determine what parts of your cloud infrastructure each administrative user can access
- allow administrative users to carry out a specific set of commands on specific managed systems or datacenters
- control visibility of events, tasks and alerts
Access rights can't be assigned to a user who only has a Service Portal role.
Even when you have restricted your users' access to infrastructure elements that contain a number of sockets equal to or less than your licensed amount, Commander will see all of the sockets available for the entire managed system. If this amount is higher than the amount for which you purchased licensing, you will receive warnings about exceeding your license. These warnings appear whenever a Commander user logs into the system, but they are not shown to Service Portal users. If you have questions about your license and its enforcement, please contact firstname.lastname@example.org or your account manager directly.
In this topic:
The six levels of access rights that can be assigned to users with Commander roles are:
- Operator with approval
- Operator without deploy/clone (non-provisioning operator)
The following table shows all of the tasks that can be performed with each level of access rights. Remember that access rights restrict what you can see, search for and manage. For example, when performing a search, your access rights determine what search results will be returned. Some of these tasks also require a particular role.
All of these tasks require some level of access rights; tasks that don't require access rights don't appear in this table.
You can assign access rights for more than one element to the same user account. For example, if three managed systems exist, a user may be assigned Administrator rights on one datacenter, Auditor rights on a separate managed system, and Approver rights on another datacenter. Note that you can assign access rights below the managed system level only for vCenter managed systems.
A user with a Reporter Role may only be assigned an access level of Auditor.
A higher level of access rights always takes precedence over a lower level. For example, if you assigned a user Administrator access rights on a managed system and then assigned the same user Auditor access rights on a datacenter within that managed system, that user has the Administrator access rights on all datacenters.
Conversely, if you assigned a user Auditor access rights on a managed system and then assigned the same user Administrator access rights on one datacenter within that managed system, then the user has Administrator access rights on the specified datacenter and Auditor access rights on the managed system and all other datacenters in that managed system.
The following example shows a user who has a Commander role of Enterprise Admin, and has these access rights on the cloud infrastructure:
- on the managed system "pv test", Auditor
- on the managed system "Embotics Public Cloud", Administrator
- on the managed system "pvscvmm2", Approver
Configuration > Identity and Access
Commander Role of Superuser
Administrator Access Rights
To assign access rights to an administrative user:
- Click the Users tab.
- On the Users page, select an administrative user from the list of users.
An administrative user has a Commander role, not a Service Portal role.
- Expand the tree as necessary and select a level of the tree (from the managed system level to the datacenter level).
- Do one of the following:
- To assign access rights, click Assign Rights.
- To remove access rights, click Remove Rights.
- To change access rights, click Change Rights.