Service Definition Considerations : 2.3 User Management and Identities : 2.3.1 About Users, Groups, Roles, and Rights
   
2.3.1 About Users, Groups, Roles, and Rights
A user is a member of a single Organization or is a provider user. Users are assigned a role, and a role is assigned a set of rights. Users can be local users (only stored in the Oracle database) or LDAPv3 users imported into the database. Users can also be members of one or more groups imported from an LDAPv3 directory, potentially assigning an additional role for each group of which they are a member.
No unauthenticated user is allowed to access any vCloud Director for Service Providers functionality, whether the access is through the vCloud API or the Web UI. Thus, all individuals that you want to access vCloud Director for Service Providers must be imported from LDAP, be members of LDAP groups you import into the system, or be managed by an Identity Provider (IdP). Each user authenticates using a user name and password. No other authentication methods are supported in this release of vCloud Director for Service Providers. It may be possible to proxy or layer a stronger authentication method in front of the vCloud API and the Web UI, but these configurations have not been tested by VMware and are not supported.
Groups are not created in vCloud Director for Service Providers. Instead, they are imported from the LDAPv3 directory associated with the system (provider) level or Organization. Groups allow users to authenticate to VMware vCloud Director for Service Providers without the need to create users in the database or manually import them from the Directory (LDAPv3) server. Instead, users can log in if they are a member of a group already imported from the Directory (LDAPv3) server. A user that is a member of multiple groups is assigned all the roles assigned to those groups.
Roles are groupings of rights that provide capabilities for the user assigned that role. The predefined roles are described in the “Roles and Rights” chapter of the VMware vCloud Director Administrator’s Guide. The administrator’s guide identifies which rights are assigned to each role to help you choose the appropriate role for each type of user.
For example, the vApp user role might be appropriate for an administrator that needs to power on and off virtual machines, but if they also need to edit the amount of memory assigned to a virtual machine, vApp Author would be a more appropriate role. These roles might not have the exact sets of rights relevant to your customers’ organizations, so you also have the ability to create custom roles. A description of what specific rights can be combined to create a useful custom role is outside the scope of this document.