Understanding Commander Administrative Roles and Permissions

A Commander role is a set of permissions determining what tasks a user can carry out. Commander roles control what users can do in the Commander console. This topic explains Commander roles so that you can decide how to assign them to administrative users.

See Adding User and Group Accounts and Assigning Roles to learn how to assign roles to administrative users.

Overview of Commander administrative roles

Commander Administrative Roles

Commander Role	What This Role Can Do	Assign This Role To
Superuser	The Superuser role has access to all functionality within Commander. Used primarily when Commander is first installed, the superuser role permits configuration of all of the tasks in the table below. Commander comes configured with a default superuser account. This default account has administrator access rights on all managed systems added to Commander. Any other superuser account created by the default superuser account automatically has full permissions, but you must configure access rights.	Users who need access to all the functionality of Commander plus all the permissions available for working with managed systems.
Enterprise Admin	The Enterprise Admin role can configure global policy, custom attributes, VM groups and user accounts. This role can also access Support resources under Help > Support.	Users who need access to the day-to-day administrative functions of Commander with the exception of those functions reserved for the superuser.
Auditor	The Auditor role has read-only access to Commander.	Users who require read-only access to view information about your virtual infrastructure, including reports.
User	The generic User role has no privileges to set or change values in Commander.	Users who carry out normal administrative or operational functions on VMs.
Reporter By default, this role is not available to assign to users. To make the Reporter role available, you must set the advanced system property `embotics.role.reporter.visible` to `true`. See Advanced Configuration through System Properties for details.	The Reporter role allows a new user to generate reports. This role has only read-only access to Commander and can't make any configuration changes or view sensitive configuration information. A user with a Reporter Role may only be assigned an access level of Auditor. Reporter role users can't access... Configuration menu Recommendations Service Requests page Workflow pages Storage view Organization information — information for other organizations is not accessible, and organization filters aren't available in reports. Reports that are not available include: Activity Service Fulfillment VM Comparative Economics	Users who require read-only access to view Commander Solutions pages and generate reports. The Reporter role can only be assigned to a new user. When a user is created with a Reporter role, their role can't be changed later, and they can't be assigned any other role.

Permissions for Commander roles

The following table shows the tasks you can perform with a Commander role.

In addition to your role, access rights restrict what you can see, search for and manage. For example, while any user with a Commander role can perform a search and run a built-in report, access rights control what data is returned.

A user can have both a Commander role and a Service Portal role. The only exception is the Reporter role, which is very restrictive. The Reporter role can only be assigned to a new user. In addition, when a user is assigned the Reporter role, they can't be assigned any other role and their role can't be changed.

Available Commander Tasks

Task	Superuser	Enterprise Admin	Auditor	User	Reporter
Update own account	Yes	Yes	Yes	Yes	Yes
View information in Commander	Yes	Yes	Yes	Yes	Yes
Search for information (search results are based on access rights)	Yes	Yes	Yes	Yes	Yes
Run, view, print and share built-in reports (report data is based on access rights)	Yes	Yes	Yes	Yes	Yes
View organizations	Yes	Yes	Yes	Yes	—
Make REST calls	Yes	Yes	Yes	Yes	—
Manage policies	Yes	Yes	—	—	—
Add, edit and delete user accounts; assign roles; customize roles; view user account details	Yes	Yes	—	—	—
Manage non-superuser accounts	Yes	Yes	—	—	—
Manage organizations and quotas	Yes	Yes	—	—	—
Configure managed systems	Yes	Yes	—	—	—
Manage organizations	Yes	Yes	—	—	—
Manage workflows	Yes	Yes	—	—	—
Configure costing (cost models, historical costs, global costs)	Yes	Yes	—	—	—
Configure custom attributes	Yes	Yes	—	—	—
Configure groups (expiry, guest OS scan, maintenance, power schedule and rightsizing groups)	Yes	Yes	—	—	—
Manage IP pools	Yes	Yes	—	—	—
Manage network zones	Yes	Yes	—	—	—
Configure default VM workload	Yes	Yes	—	—	—
Configure default reserved capacity	Yes	Yes	—	—	—
Manage the service catalog and forms	Yes	Yes	—	—	—
Configure email notification for system events	Yes	Yes	—	—	—
Manage credentials	Yes	Yes	—	—	—
Manage key pairs	Yes	Yes	—	—	—
Configure automated deployment destinations	Yes	Yes	—	—	—
Configure VM rightsizing recommendations	Yes	Yes	—	—	—
Add, edit and delete folders in the media library	Yes	Yes	—	—	—
Modify linkages between Kubernetes cluster and underlying infrastructure	Yes	Yes	—	—	—
Obtain support under Help > Support	Yes	Yes	—	—	—
Assign access rights	Yes *An advanced system property controls whether non-superuser roles can assign access rights. Contact support@embotics.com to learn how.	—	—	—	—
Configure system properties	Yes	—	—	—	—
Integrate third-party servers (including directory services, SMTP, SNMP and all servers under Configuration > System > Integration)	Yes	—	—	—	—
Configure single sign-on/Windows authentication	Yes	—	—	—	—
Override scheduled tasks	Yes	—	—	—	—
Manage datastore scans	Yes	—	—	—	—
Restrict service access to specific host or IP	Yes	—	—	—	—
Configure session timeouts and login preferences	Yes	—	—	—	—
Configure the Service Portal	Yes	—	—	—	—
Purge the database	Yes	—	—	—	—
Manage licensing	Yes	—	—	—	—
Configure provisioning options	Yes	—	—	—	—
Manage superuser accounts	Yes	—	—	—	—