Understanding Commander Administrative Roles and Permissions

A Commander role is a set of permissions determining what tasks a user can carry out. Commander roles control what users can do in the Commander console. This topic explains Commander roles so that you can decide how to assign them to administrative users.

See Adding User and Group Accounts and Assigning Roles to learn how to assign roles to administrative users.

See also Examples of Administrative User Account Configuration.

Overview of Commander administrative roles

Commander Administrative Roles

Commander Role

What This Role Can Do

Assign This Role To

Superuser

The Superuser role has access to all functionality within Commander. Used primarily when Commander is first installed, the superuser role permits configuration of all of the tasks in the table below.

Commander comes configured with a default superuser account. This default account has administrator access rights on all managed systems added to Commander.

Any other superuser account created by the default superuser account automatically has full permissions, but you must configure access rights.

Users who need access to all the functionality of Commander plus all the permissions available for working with managed systems.

Enterprise Admin

The Enterprise Admin role can configure global policy, custom attributes, VM groups and user accounts. This role can also access Support resources under Help > Support.

Users who need access to the day-to-day administrative functions of Commander with the exception of those functions reserved for the superuser.

Auditor

The Auditor role has read-only access to Commander.

Users who require read-only access to view information about your virtual infrastructure, including reports.

User

The generic User role has no privileges to set or change values in Commander.

Users who carry out normal administrative or operational functions on VMs.

Reporter

By default, this role is not available to assign to users. To make the Reporter role available, you must set the advanced system property embotics.role.reporter.visible to true. See Advanced Configuration through System Properties for details.

The Reporter role allows a new user to generate reports.

This role has only read-only access to Commander and can't make any configuration changes or view sensitive configuration information. A user with a Reporter Role may only be assigned an access level of Auditor.

Users who require read-only access to view Commander Solutions pages and generate reports.

The Reporter role can only be assigned to a new user. When a user is created with a Reporter role, their role can't be changed later, and they can't be assigned any other role.

Permissions for Commander roles

The following table shows the tasks you can perform with a Commander role.

In addition to your role, access rights restrict what you can see, search for and manage. For example, while any user with a Commander role can perform a search and run a built-in report, access rights control what data is returned.

A user can have both a Commander role and a Service Portal role. The only exception is the Reporter role, which is very restrictive. The Reporter role can only be assigned to a new user. In addition, when a user is assigned the Reporter role, they can't be assigned any other role and their role can't be changed.

Available Commander Tasks

Task

Superuser

Enterprise Admin

Auditor

User

Reporter

Update own account

Yes

Yes

Yes

Yes

Yes

View information in Commander

Yes

Yes

Yes

Yes

Yes

Search for information (search results are based on access rights)

Yes

Yes

Yes

Yes

Yes

Run, view, print and share built-in reports (report data is based on access rights)

Yes

Yes

Yes

Yes

Yes

View organizations

Yes

Yes

Yes

Yes

Make REST calls

Yes

Yes

Yes

Yes

Manage policies

Yes

Yes

Add, edit and delete user accounts; assign roles; customize roles; view user account details

Yes

Yes

Manage non-superuser accounts

Yes

Yes

Manage organizations and quotas

Yes

Yes

Configure managed systems

Yes

Yes

Manage organizations

Yes

Yes

Manage workflows

Yes

Yes

Configure costing (cost models, historical costs, global costs)

Yes

Yes

Configure custom attributes

Yes

Yes

Configure groups (expiry, guest OS scan, maintenance, power schedule and rightsizing groups)

Yes

Yes

Manage IP pools

Yes

Yes

Manage network zones

Yes

Yes

Configure default VM workload

Yes

Yes

Configure default reserved capacity

Yes

Yes

Manage the service catalog and forms

Yes

Yes

Configure email notification for system events

Yes

Yes

Manage credentials

Yes

Yes

Manage key pairs

Yes

Yes

Configure automated deployment destinations

Yes

Yes

Configure VM rightsizing recommendations

Yes

Yes

Add, edit and delete folders in the media library

Yes

Yes

Modify linkages between Kubernetes cluster and underlying infrastructure

Yes

Yes

Obtain support under Help > Support

Yes

Yes

Assign access rights

Yes *An advanced system property controls whether non-superuser roles can assign access rights. Contact support@embotics.com to learn how.

Configure system properties

Yes

Integrate third-party servers (including directory services, SMTP, SNMP and all servers under Configuration > System > Integration)

Yes

Configure single sign-on/Windows authentication

Yes

Override scheduled tasks

Yes

Manage datastore scans

Yes

Restrict service access to specific host or IP

Yes

Configure session timeouts and login preferences

Yes

Configure the Service Portal

Yes

Purge the database

Yes

Manage licensing

Yes

Configure provisioning options

Yes

Manage superuser accounts

Yes