7.2.3 Granular Role-Based Access Control
vCloud Director 8.20 introduces the possibility to create granular roles at tenant and system level. This is important for service providers who want to differentiate which tenants have access to specific features (for example advanced networking services). This also allows tenants to create their own roles that correspond to their team structure (for example, network administrator). And last, system the administrator can create additional roles in system context with access to a subset of features.
A role is a set of rights which can be assigned to a user or a group. A tenant rights example is to configure IPSEC VPN. A system admin rights example is to enable/disable the host.
Prior to vCloud Director 8.20, the following limitations existed:
• Only global roles could be created by a system administrator in addition to a handful of predefined roles (vApp Author, Organization Administrator, and so on).
• Every organization would have access to the global and predefined roles.
• The organization administrator could assign the roles to organization users.
• The service provider could not differentiate access to features among different tenants.
• There was only one system administrator role with access to everything.
With vCloud Director 8.20, the following capabilities exist:
• Roles are no longer global, but instead are organization specific.
• Former global and predefined roles become role templates.
• The service provider can create new role templates.
• Role templates are used to instantiate organization specific roles.
• The service provider can selectively grant rights to specific organizations.
• Organization administrators can create their own organization specific roles from a subset of granted rights.
• New roles can be created in the system context from subset of system administrator rights.
The transition from pre-vCloud Director 8.20 role management happens during the upgrade to 8.20. Existing roles are transferred to role templates and each organization has its own roles instantiation based on the role templates. The UI has changed and now includes an Organization column and filter. A new System organization is added with default System Administrator role.
When a new organization is created, it has access to all rights that are used in role templates. The system administrator can grant additional rights to the organization with the vCloud API only:
GET /api/admin … get references to all rights in VCD instance
GET /api/admin/org/<org-id>/rights … get references to all rights in the organization
PUT /api/admin/org/<org-id>/rights … edit rights in the organization
System administrator or Organization Administrator can create new roles in its organization with vCloud API only:
POST /admin/org/<org-id>/roles
Note While the system administrator can edit tenant roles in the UI, editing of a role based on a role template changed the role template and therefore changes it for all organizations.
The vCloud Director 8.20 graphical user interface no longer allows creation of global roles. Only organization-specific roles can be created and only by the system administrator. However, the legacy API (version 20.0 or earlier) can be still used to create (and edit) a global role which will in fact become a role template.
The system administrator can edit a role in a particular organization that is based on a role template directly in the GUI. This affects other organizations. If a right is removed, all organizations have that right removed from the role. If a right is added, the role in existing organizations does not have the new right added unless the organization already had access to the right. New organizations created after the role edit will inherit it completely.