Understanding Commander Roles and Permissions
A Commander role is a set of permissions determining what tasks a user can carry out. Commander roles control what users can do in the Commander console. This topic explains Commander roles so that you can decide how to assign them to administrative users.
See Adding User and Group Accounts and Assigning Roles to learn how to assign roles to administrative users.
See also Examples of Administrative User Account Configuration.
Overview of Commander roles
Role |
What the Role Can Do |
Assign To |
---|---|---|
Superuser |
The Superuser role has access to all functionality within Commander. Used primarily when Commander is first installed, the superuser role permits configuration of all of the tasks in the table below. Commander comes configured with a default superuser account. This default account has administrator access rights on all cloud accounts added to Commander. Any other superuser account created by the default superuser account automatically has full permissions, but you must configure access rights. |
Users who need access to all the functionality of Commander plus all the permissions available for working with cloud accounts. |
Enterprise Admin |
The Enterprise Admin role can configure global policy, custom attributes, VM groups and user accounts. This role can also access Support resources under Help > Support. |
Users who need access to the day-to-day administrative functions of Commander with the exception of those functions reserved for the superuser. |
Auditor |
The Auditor role has read-only access to Commander. |
Users who require read-only access to view information about your virtual infrastructure, including reports. |
User |
The generic User role has no privileges to set or change values in Commander. |
Users who carry out normal administrative or operational functions on VMs. |
Reporter |
The Reporter role allows a new user to generate reports. This role has only read-only access to Commander and can't make any configuration changes or view sensitive configuration information. A user with a Reporter Role may only be assigned an access level of Auditor. ![]()
|
Users who require read-only access to view Commander Solutions pages and generate reports. The Reporter role can only be assigned to a new user. When a user is created with a Reporter role, their role can't be changed later, and they can't be assigned any other role. Note: By default, this role isn't available to assign to users. To make the Reporter role available, you must set the advanced system property |
Permissions for Commander roles
The following table shows the tasks you can perform with a Commander role.
In addition to your role, access rights restrict what you can see, search for and manage. For example, while any user with a Commander role can perform a search and run a built-in report, access rights control what data is returned.
Note: A user can have both a Commander role and a Service Portal role. The only exception is the Reporter role, which is very restrictive. The Reporter role can only be assigned to a new user. In addition, when a user is assigned the Reporter role, they can't be assigned any other role and their role can't be changed.
Commander Tasks |
Superuser |
Enterprise Admin |
Auditor |
User |
Reporter |
---|---|---|---|---|---|
Update own account |
Yes |
Yes |
Yes |
Yes |
Yes |
View information in Commander |
Yes |
Yes |
Yes |
Yes |
Yes |
Search for information (search results are based on access rights) |
Yes |
Yes |
Yes |
Yes |
Yes |
Run, view, print, and share built-in reports (report data is based on access rights) |
Yes |
Yes |
Yes |
Yes |
Yes |
View organizations |
Yes |
Yes |
Yes |
Yes |
— |
Make REST calls |
Yes |
Yes |
Yes |
Yes |
— |
Manage policies |
Yes |
Yes |
— |
— |
— |
Add, edit, and delete user accounts; assign roles; customize roles; view user account details |
Yes |
Yes |
— |
— |
— |
Manage non-superuser accounts |
Yes |
Yes |
— |
— |
— |
Manage organizations and quotas |
Yes |
Yes |
— |
— |
— |
Configure cloud accounts |
Yes |
Yes |
— |
— |
— |
Manage organizations |
Yes |
Yes |
— |
— |
— |
Manage workflows |
Yes |
Yes |
— |
— |
— |
Configure costing (cost models, historical costs, global costs) |
Yes |
Yes |
— |
— |
— |
Configure custom attributes |
Yes |
Yes |
— |
— |
— |
Configure groups (expiry, maintenance, power schedule, and rightsizing groups) |
Yes |
Yes |
— |
— |
— |
Manage IP pools |
Yes |
Yes |
— |
— |
— |
Manage network zones |
Yes |
Yes |
— |
— |
— |
Configure default VM workload |
Yes |
Yes |
— |
— |
— |
Configure default reserved capacity |
Yes |
Yes |
— |
— |
— |
Manage the service catalog and forms |
Yes |
Yes |
— |
— |
— |
Configure email notification for system events |
Yes |
Yes |
— |
— |
— |
Manage credentials |
Yes |
Yes |
— |
— |
— |
Manage key pairs |
Yes |
Yes |
— |
— |
— |
Configure automated deployment destinations |
Yes |
Yes |
— |
— |
— |
Configure VM rightsizing recommendations |
Yes |
Yes |
— |
— |
— |
Add, edit and delete folders in the media library |
Yes |
Yes |
— |
— |
— |
Modify linkages between Kubernetes cluster and underlying infrastructure |
Yes |
Yes |
— |
— |
— |
Obtain support under Help > Support |
Yes |
Yes |
— |
— |
— |
Assign access rights |
Yes *An advanced system property controls whether non-superuser roles can assign access rights. |
— |
— |
— |
— |
Configure system properties |
Yes |
— |
— |
— |
— |
Integrate third-party servers (including directory services, SMTP, SNMP and all servers under Configuration > System > Integration) |
Yes |
— |
— |
— |
— |
Configure single sign-on/Windows authentication |
Yes |
— |
— |
— |
— |
Override scheduled tasks |
Yes |
— |
— |
— |
— |
Manage datastore scans |
Yes |
— |
— |
— |
— |
Restrict service access to specific host or IP |
Yes |
— |
— |
— |
— |
Configure session timeouts and sign in preferences |
Yes |
— |
— |
— |
— |
Configure the Service Portal |
Yes |
— |
— |
— |
— |
Purge the database |
Yes |
— |
— |
— |
— |
Manage licensing |
Yes |
— |
— |
— |
— |
Configure provisioning options |
Yes |
— |
— |
— |
— |
Manage superuser accounts |
Yes |
— |
— |
— |
— |