VMware Aria Automation 8.16

8.18 8.17 8.16 8.14 8.13 all
Português (Brasil) 简体中文 Deutsch Español Français Italiano 日本語 한국어 Nederlands Русский 繁體中文 English

Organization and service user roles in
VMware Aria Automation

The organization and service user roles that you defined for the
Automation Assembler
,
Automation Service Broker
, and
Automation Pipelines
 services determine what the user can see and do in each service.

Organization User Roles

User roles are defined for the organization in the
VMware Aria Automation
 console by an organization owner. There are two types of roles, organization roles and service roles.
The organization roles are global and apply to all services in the organization. The organization-level roles are Organization owner or Organization Member role.
For more information about the organization roles, see Administering VMware Aria Automation
The
Automation Assembler
 service roles, which are service-specific permissions, are also assigned at the organization level in the console.

Service Roles

These service roles are assigned by the organization owner.
This article includes information about the following services.

Assembler Service Roles

The
Automation Assembler
 service roles determine what you can see and do in
Automation Assembler
. These service roles are defined in the console by an organization owner.
Automation Assembler
 Service Role Descriptions
Role
Description
Assembler Administrator
A user who has read and write access to the entire user interface and API resources. This is the only user role that can see and do everything, including add cloud accounts, create new projects, and assign a project administrator.
Assembler User
A user who does not have the Assembler Administrator role.
In an
Automation Assembler
 project, the administrator adds users to projects as project members, administrators, or viewers. The administrator can also add a project administrator.
Assembler Viewer
A user who has read access to see information but cannot create, update, or delete values. This is a read-only role across all projects in all the services.
Users with the viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does.
In addition to the service roles,
Automation Assembler
 has project roles. Any project is available in all of the services.
The project roles are defined in
Automation Assembler
 and can vary between projects.
In the following tables, which tells you what the different service and project roles can see and do, remember that the service administrators have full permission on all areas of the user interface.
The descriptions of project roles will help you decide what permissions to give your users.
  • Project administrators leverage the infrastructure that is created by the service administrator to ensure that their project members have the resources they need for their development work.
  • Project members work within their projects to design and deploy cloud templates. Your projects can include only resources that you own or resources that are shared with other project members.
  • Project viewers are restricted to read-only access, except in a few cases where they can do non-destructive things like download cloud templates.
  • Project supervisors are approvers in
    Automation Service Broker
     for their projects where an approval policy is defined with a project supervisor approver. To provide the supervisor with context for approvals, consider also granting them the project member or viewer role.
Automation Assembler
 service roles and project roles
UI Context
Task
Assembler Administrator
Assembler Viewer
Assembler User
User must be a project administrator or member to see and do project-related tasks.
Project Administrator
Project Member
Project Viewer
Project Supervisor
Access Assembler
Console
In the Automation console, you can see and open Assembler
Yes
Yes
Yes
Yes
Yes
Yes
Infrastructure
See and open the Infrastructure tab
Yes
Yes
Yes
Yes
Yes
Yes
Administration - Projects
Create projects
Yes
Update, or delete values from project summary, provisioning, Kubernetes, integrations, and test project configurations.
Yes
Add users and groups, and assign roles in projects.
Yes
Yes. Your projects.
View projects
Yes
Yes
Yes. Your projects
Yes. Your projects
Yes. Your projects
Yes. Your projects
Administration - Users and Groups
View the users and groups assigned to custom roles.
Yes
Administration - Custom Roles
Create custom user roles and assign them to users and groups.
Yes
Administration - Custom Names
Create custom resource names.
Yes
Administration - Secrets
Create and delete secret reusable properties.
Yes
Administration - Settings
Turn on or off internal settings.
Yes
Configure - Cloud Zones
Create, update, or delete cloud zones
Yes
View cloud zones
Yes
Yes
View cloud zone Insights dashboard
Yes
Yes
View cloud zones alerts
Yes
Yes
Configure - Kubernetes Zones
Create, update, or delete Kubernetes zones
Yes
View Kubernetes zones
Yes
Yes
Configure - Flavors
Create, update, or delete flavors
Yes
View flavors
Yes
Yes
Configure - Image Mappings
Create, update, or delete image mappings
Yes
View image mappings
Yes
Yes
Configure - Network Profiles
Create, update, or delete network profiles
Yes
View image network profiles
Yes
Yes
Configure - Storage Profiles
Create, update, or delete storage profiles
Yes
View image storage profiles
Yes
Yes
Configure - Pricing Cards
Create, update, or delete pricing cards
Yes
View the pricing cards
Yes
Yes
Configure - Tags
Create, update, or delete tags
Yes
View tags
Yes
Yes
Resources - Compute
Add tags to discovered compute resources
Yes
View discovered compute resources
Yes
Yes
Resources - Networks
Modify network tags, IP ranges, IP addresses
Yes
View discovered network resources
Yes
Yes
Resources - Security
Add tags to discovered security groups
Yes
View discovered security groups
Yes
Yes
Resources - Storage
Add tags to discovered storage
Yes
View storage
Yes
Yes
Resources - Kubernetes
Deploy or add Kubernetes clusters, and create or add namespaces
Yes
View Kubernetes clusters and namespaces
Yes
Yes
Yes. Your projects
Yes. Your projects
Yes. Your projects
Activity - Requests
Delete deployment request records
Yes
View deployment request records
Yes
Yes
Yes. Your projects
Yes. Your projects
Yes. Your projects
Activity - Event Logs
View event logs
Yes
Yes
Yes. Your projects
Yes. Your projects
Yes. Your projects
Connections - Cloud Accounts
Create, update, or delete cloud accounts
Yes
View cloud accounts
Yes
Yes
Connections - Integrations
Create, update, or delete integrations
Yes
View integrations
Yes
Yes
Onboarding
Create, update, or delete onboarding plans
Yes
View onboarding plans
Yes
Yes. Your projects
Extensibility
See and open the Extensibility tab
Yes
Yes
Yes
Events
View extensibility events
Yes
Yes
Subscriptions
Create, update, or delete extensibility subscriptions
Yes
Deactivate subscriptions
Yes
View subscriptions
Yes
Yes
Library - Event topics
View event topics
Yes
Yes
Library - Actions
Create, update, or delete extensibility actions
Yes
View extensibility actions
Yes
Yes
Library - Workflows
View extensibility workflows
Yes
Yes
Activity - Action Runs
Cancel or delete extensibility action runs
Yes
View extensibility action runs
Yes
Yes
Yes. Your projects
Activity - Workflow Runs
View extensibility workflow runs
Yes
Yes
Design
Design
Open the Design tab
Yes
Yes
Yes.
Yes.
Yes.
Yes
Cloud Templates
Create, update, and delete cloud templates
Yes
Yes. Your projects
Yes. Your projects
View cloud templates
Yes
Yes
Yes. Your projects
Yes. Your projects
Yes. Your projects
Download cloud templates
Yes
Yes
Yes. Your projects
Yes. Your projects
Yes. Your projects
Upload cloud templates
Yes
Yes. Your projects
Yes. Your projects
Deploy cloud templates
Yes
Yes. Your projects
Yes. Your projects
Version and restore cloud templates
Yes
Yes. Your projects
Yes. Your projects
Release cloud templates to the catalog
Yes
Yes. Your projects
Yes. Your projects
Custom Resources
Create, update or delete custom resources
Yes
View custom resources
Yes
Yes
Yes. Your projects
Yes. Your projects
Yes. Your projects
Custom Actions
Create, update, or delete custom actions
Yes
View custom actions
Yes
Yes
Yes. Your projects
Yes. Your projects
Yes. Your projects
Resources
See and open the Resources tab
Yes
Yes
Yes
Yes
Yes
Yes
Deployments
View deployments including deployment details, deployment history, price, monitor, alerts, optimize, and troubleshooting information
Yes
Yes
Yes. Your projects
Yes. Your projects
Yes. Your projects
Manage alerts
Yes
Yes. Your projects
Yes. your projects
Run day 2 actions on deployments based on policies
Yes
Yes. Your projects
Yes. Your projects
Resources - All Resources
View all discovered resources
Yes
Yes
Run day 2 actions on discovered resources.
Actions available only on machines and limited to power on and off for all machines, and remote console for vSphere machines.
Yes
Resources - All Resources
View deployed, onboarded, migrated resources
Yes
Yes
Yes. Your projects.
Yes. Your projects.
Yes. Your projects.
Run Day 2 actions on deployed, onboarded, and migrated resources based on policies
Yes
Yes
Yes. Your projects.
Yes. Your projects.
Resources - Virtual Machines
View discovered machines
Yes
Yes
Run day 2 actions on discovered machines.
Actions are limited to power on and off, and remote console for vSphere machines.
Yes
Create New VM
This option is available to administrators. However, if an administrator turns on the setting, then it is available to the other users roles. To activate the option, select
Infrastructure
Administration
Settings
 and turn on
Create new resource
.
By activating the option,
Automation Service Broker
 users can create VMs based on any image and any flavor even though they are not administrators themselves. To avoid the potential overconsumption of resources, administrators can create approval policies to reject or approve any deployment requests based on the image used or the flavor or size requested.
Yes
Yes. Your projects.
Yes. Your projects.
Yes. Your projects.
View deployed, onboarded, and migrated resources.
Yes
Yes. Your projects.
Yes. Your projects.
Yes. Your projects.
Run day 2 actions on deployed, onboarded, and migrated resources based on policies
Yes
Yes. Your projects.
Yes. Your projects.
Resources - Volumes
View discovered volumes
Yes
Yes
No day 2 actions available
View deployed, onboarded, and migrated volumes
Yes
Yes
Yes. Your projects.
Yes. Your projects.
Yes. Your projects.
Run day 2 actions on deployed, onboarded, and migrated volumes based on policies
Yes
Yes. Your projects.
Yes. Your projects.
Resources - Networkin and Security
View discovered networks, load balancers, and security groups
Yes
Yes
No day 2 actions available
View deployed, onboarded, and migrated networks, load balancers, and security groups
Yes
Yes
Yes. Your projects.
Yes. Your projects.
Yes. Your projects.
Run day 2 actions on deployed, onboarded, and migrated networks, load balancers, and security groups based on policies
Yes
Yes. Your projects.
Yes. Your projects.
Alerts
See and open the Alerts tab
Yes
Yes
Yes
Yes
Yes
Manage alerts
Yes
Yes. Your projects
Yes. Your projects
View alerts
Yes
Yes
Yes. Your projects
Yes. Your projects
Yes. Your projects

Service Broker Service Roles

The
Automation Service Broker
 service roles determine what you can see and do in
Automation Service Broker
. These service roles are defined in the console by an organization owner.
Service Broker Service Role Descriptions
Role
Description
Service Broker Administrator
Must have read and write access to the entire user interface and API resources. This is the only user role that can perform all tasks, including creating a new project and assigning a project administrator.
Service Broker User
Any user who does not have the
Automation Service Broker
 Administrator role.
In an
Automation Service Broker
 project, the administrator adds users to projects as project members, administrators, or viewers. The administrator can also add a project administrator.
Service Broker Viewer
A user who has read access to see information but cannot create, update, or delete values. This is a read-only role across all projects in all the services.
Users with the viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does.
In addition to the service roles,
Automation Service Broker
 has project roles. Any project is available in all of the services.
The project roles are defined in
Automation Service Broker
 and can vary between projects.
In the following tables, which tells you what the different service and project roles can see and do, remember that the service administrators have full permission on all areas of the user interface.
Use the following descriptions of project roles will help you as you decide what permissions to give your users.
  • Project administrators leverage the infrastructure that is created by the service administrator to ensure that their project members have the resources they need for their development work.
  • Project members work within their projects to design and deploy cloud templates. In the following table, Your projects can include only resources that you own or resources that are shared with other project members.
  • Project viewers are restricted to read-only access.
  • Project supervisors are approvers in
    Automation Service Broker
     for their projects where an approval policy is defined with a project supervisor approver. To provide the supervisor with context for approvals, consider also granting them the project member or viewer role.
Service Broker Service Roles and Project Roles
UI Context
Task
Service Broker Administrator
Service Broker Viewer
Service Broker User
User must be a project administrator to see and do project-related tasks.
Project Administrator
Project Member
Project Viewer
Project Supervisor
Access Service Broker
Console
In the console, you can see and open Service Broker
Yes
Yes
Yes
Yes
Yes
Yes
Infrastructure
See and open the Infrastructure tab
Yes
Yes
Administration - Projects
Create projects
Yes
Update, or delete values from project summary, provisioning, Kubernetes, integrations, and test project configurations.
Yes
Add users and groups, and assign roles in projects.
Yes
Yes. Your projects.
View projects
Yes
Yes
Yes. Your projects
Yes. Your projects
Yes. Your projects
Administration - Custom Roles
Create custom user roles and assign them to users and groups.
Yes
Administration - Custom Names
Create custom resource names.
Yes
Administration - Secrets
Create and delete secret reusable properties.
Yes
Administration - Settings
Turn on or off internal settings.
Yes
Administration - Users and Groups
View the users and groups assigned to custom roles.
Yes
Configure - Cloud Zones
Create, update, or delete cloud zones
Yes
View cloud zones
Yes
Yes
Configure - Kubernetes Zones
Create, update, or delete Kubernetes zones
Yes
View Kubernetes zones
Yes
Yes
Connections - Cloud Accounts
Create, update, or delete cloud accounts
Yes
View cloud accounts
Yes
Yes
Connections - Integrations
Create, update, or delete integrations
Yes
View integrations
Yes
Yes
Activity - Requests
Delete deployment request records
Yes
View deployment request records
Yes
Activity - Event Logs
View event logs
Yes
Content and Policies
See and open the Content and Policies tab
Yes
Yes
Content Sources
Create, update, or delete content sources
Yes
View content sources
Yes
Yes
Content
Customize form and configure item
Yes
View content
Yes
Yes
Policies - Definitions
Create, update, or delete policy definitions
Yes
View policy definitions
Yes
Yes
Policies - Enforcement
View enforcement log
Yes
Yes
Notifications - Email Server
Configure an email server
Yes
Consume
See and open the Consume tab
Yes
Yes
Yes
Yes
Yes
Yes
Projects
See and search projects
Yes
Yes. Your projects
Yes. Your projects
Yes. Your projects
Yes. Your projects
Yes. Your projects
Catalog
See and open the Catalog page
Yes
Yes
Yes
Yes
Yes
Yes
View available catalog items
Yes
Yes
Yes. Your projects
Yes. Your projects
Yes. Your projects
Request a catalog item
Yes
Yes. Your projects
Yes. Your projects
Deployments - Deployments
View deployments, including deployment details, deployment history, price, monitor, alerts, optimize, and troubleshooting information
Yes
Yes
Yes. Your projects
Yes. Your projects
Yes. Your projects
Manage alerts
Yes
Yes. Your projects
Yes. Your projects
Run day 2 actions on deployments based on policies
Yes
Yes. Your projects
Yes. Your projects
Deployments - Resources
View all discovered resources
Yes
Yes
Run day 2 actions on discovered resources.
Actions available only on machines and limited to power on and off for all machines, and remote console for vSphere machines.
Yes
Deployments - All Resources
View deployed, onboarded, migrated resources
Yes
Yes
Yes. Your projects.
Yes. Your projects.
Yes. Your projects.
Run Day 2 actions on deployed, onboarded, and migrated resources based on policies
Yes
Yes
Yes. Your projects.
Yes. Your projects.
Deployments - Virtual Machines
View discovered machines
Yes
Yes
Run day 2 actions on discovered machines.
Actions are limited to power on and off, and remote console for vSphere machines.
Yes
Create New VM
This option is available in
Automation Service Broker
 if your administrator activates the option. To activate the option, select
Infrastructure
Administration
Settings
.
By activating the option,
Automation Service Broker
 users can create VMs based on any image and any flavor even though they are not administrators themselves. To avoid the potential overconsumption of resources, administrators can create approval policies to reject or approve any deployment requests based on the image used or the flavor or size requested.
Yes
Yes. Your projects.
Yes. Your projects.
Yes. Your projects.
View deployed, onboarded, and migrated resources.
Yes
Yes. Your projects.
Yes. Your projects.
Yes. Your projects.
Run day 2 actions on deployed, onboarded, and migrated resources based on policies
Yes
Yes. Your projects.
Yes. Your projects.
Deployments - Volumes
View discovered volumes
Yes
Yes
No day 2 actions available
View deployed, onboarded, and migrated volumes
Yes
Yes
Yes. Your projects.
Yes. Your projects.
Yes. Your projects.
Run day 2 actions on deployed, onboarded, and migrated volumes based on policies
Yes
Yes. Your projects.
Yes. Your projects.
Deployments - Networking and Security
View discovered networks, load balancers, and security groups
Yes
Yes
No day 2 actions available
View deployed, onboarded, and migrated networks, load balancers, and security groups
Yes
Yes
Yes. Your projects.
Yes. Your projects.
Yes. Your projects.
Run day 2 actions on deployed, onboarded, and migrated networks, load balancers, and security groups based on policies
Yes
Yes. Your projects.
Yes. Your projects.
Inbox
See and open the Inbox tab
Yes
Yes
Approvals
View approval requests
Yes
Yes
Yes
Yes
Yes
Yes
Respond to approval requests
Yes
Yes. Your projects and the policy approver is Project Administrator
Only if you are a named approver
Only if you are a named approver
Yes. Your projects and the policy approver is Project Supervisor
User Input Requests
View user input requests
Yes
Yes
Yes
Yes
Respond to user input requests
Yes
Yes. Your projects and you are assigned to provide input
Only if you are assigned to provide input

Pipelines Service Roles

The
Automation Pipelines
 service roles determine what you can see and do in
Automation Pipelines
. These roles are defined in the console by the organization owner. Any project is available in all of the services.
Pipelines Service Role Descriptions
Role
Description
Pipelines Administrator
A user who has read and write access to the entire user interface and API resources. This is the only user role that can see and do everything, including create projects, integrate endpoints, add triggers, create pipelines and custom dashboards, mark endpoints and variables as restricted resources, run pipelines that use restricted resources, and request that pipelines be published in
Automation Service Broker
.
Pipelines Developer
A user who can work with pipelines, but cannot work with restricted endpoints or variables. If a pipeline includes a restricted endpoint or variable, this user must obtain approval on the pipeline task that uses the restricted endpoint or variable.
Pipelines Executor
A user who can run pipelines and approve or reject user operation tasks. This user can resume, pause, and cancel pipeline executions, but cannot modify pipelines.
Pipelines User
A user who can access
Automation Pipelines
, but does not have any other privileges in
Automation Pipelines
.
Pipelines Viewer
A user who has read access to see pipelines, endpoints, pipeline executions, and dashboards, but cannot create, update, or delete them. A user who also has the Service viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does.
In addition to the service roles,
Automation Pipelines
 has project roles. Any project is available in all the services.
The project roles are defined in
Automation Pipelines
 and can vary between projects.
In the following tables, which tell you what the different service and project roles can see and do, remember that the service administrators have full permission on all areas of the user interface.
Use the following descriptions of project roles to help you decide what permissions to give your users.
  • Project administrators leverage the infrastructure that is created by the service administrator to ensure that their project members have the resources they need for their development work. The project administrator can add members.
  • Project members who have a service role can use services.
  • Project viewers can see projects but cannot create, update, or delete them.
All actions except restricted
 means this role has permission to perform create, read, update, and delete actions on entities except for restricted variables and endpoints.
Automation Pipelines
 service role capabilities
UI Context
Capabilities
Automation Pipelines
 Administrator role
Automation Pipelines
 Developer role
Automation Pipelines
 Executor role
Automation Pipelines
 Viewer role
Automation Pipelines
 User role
Pipelines
View pipelines
Yes
Yes
Yes
Yes
Create pipelines
Yes
Yes
Run pipelines
Yes
Yes
Yes
Run pipelines that include restricted endpoints or variables
Yes
Update pipelines
Yes
Yes
Delete pipelines
Yes
Yes
Pipeline Executions
View pipeline executions
Yes
Yes
Yes
Yes
Resume, pause, and cancel pipeline executions
Yes
Yes
Yes
Resume pipelines that stop for approval on restricted resources
Yes
Custom Integrations
Create custom integrations
Yes
Yes
Read custom integrations
Yes
Yes
Yes
Yes
Update custom integrations
Yes
Yes
Endpoints
View executions
Yes
Yes
Yes
Yes
Create executions
Yes
Yes
Update executions
Yes
Yes
Delete executions
Yes
Yes
Mark resources as restricted
Mark an endpoint or variable as restricted
Yes
Dashboards
View dashboards
Yes
Yes
Yes
Yes
Create dashboards
Yes
Yes
Update dashboards
Yes
Yes
Delete dashboards
Yes
Yes

Assembler Migration Assistant Service Roles

The Migration Assistant service roles determine what you can see and do in Migration Assistant and Assembler. These service roles are defined in the console by an organization owner.
Assembler Migration Assistant Service Roles Descriptions
Role
Description
Migration Assistant Administrator
A user who has full view, update, and delete privileges in the Migration Assistant and Assembler.
This role must also have at least the Assembler Viewer role.
Migration Assistant Viewer
A user who has read access to see information but cannot create, update, or delete values in Migration Assistant or in Assembler.
This role must also have at least the Assembler Viewer role.

Orchestrator Service Roles

The
Automation Orchestrator Client
 service roles determine what you can see and do in
Automation Orchestrator Client
. These service roles are defined in the console by an organization owner.
Automation Orchestrator Service Roles Descriptions
Role
Description
Orchestrator Administrator
A user who has full view, update, and delete privileges in
Automation Orchestrator Client
. An administrator can also access the content created by specific groups.
Orchestrator Viewer
A user who has read access to see features and content, including all groups and group content, but cannot create, update, run, delete values, or export content. This is a read-only role across all projects in all the services.
Orchestrator Workflow Designer
A user who can create, run, edit, and delete their own
Automation Orchestrator Client
 content. They can add their own content to their assigned group. The workflow designer does not have access to the administration and troubleshooting features of the
Automation Orchestrator Client
.
Automation users without an assigned Orchestrator service role can still access all
Automation Orchestrator Client
 instances in the organization but have limited permissions. They can view and run their own content and respond to user interaction requests that are assigned to them.
Users without an assigned Orchestrator service role in Automation who have an assigned role in an individual
Automation Orchestrator Client
 instance can only access that
Automation Orchestrator Client
 instance.

Automation Config Service Role

The Automation Config service role determines what you can see and do in Automation. This service role is defined in the console by an organization owner.
Automation Config Service Role Description
Role
Description
Config Administrator
A user who can access the Automation Config tile on the console when the integration with Assembler is configured. To log in on the Automation Config instance, the user must have Automation Config administrator permissions that are defined in Automation Config.
The user must also have the Assembler Administrator role.
Config User
A user who does not have the Config Administrator role.
Salt Master
Config Superuser

Content feedback and comments