[VMC on AWS] How to use 'Containerized Permissions'
search cancel

[VMC on AWS] How to use 'Containerized Permissions'


Article ID: 312506


Updated On:


VMware Cloud on AWS


To provide the steps to create and apply custom roles in VMware Cloud on AWS.

Creating a custom role for VMware Cloud on AWS once 'Containerized Permissions' has been enabled.


To create a custom role, follow the below process:
  1. Log in to the VMware Cloud on AWS vCenter using '[email protected]' or a user with the CloudAdmin role.
  2. Navigate to the "Roles" section. (Menu -> Administration -> Access Control -> Roles)
  3. Select the role that needs to be cloned and click the "Clone role action" icon. For example, an administrator can clone the "CloudAdmin" role and remove privileges as needed. Note: Do not clone the "Administrator" role. This role cannot be used and the custom role created cannot be deleted by '[email protected]'
  4. Type the name needed for the cloned role.
  5. Add or remove privileges for the role. Once done, click "OK"
  6. The clone role should now be visible in the "Roles" list.
To use the newly created custom role, follow the below process:
  1. Navigate to the object that requires the added permission. For example, to apply the permission to a folder, navigate to "Menu -> VMs and Templates -> FolderName"
  2. Right click the object and select "Add Permission"
  3. In the "Add Permission" window, select the Identity Source in the "User" drop-down where the group or user can be found.
  4. Search for the user or group after selecting the Identity Source under the "User" section. If the user or group cannot be found, please verify the Identity Source is correct.
  5. Select the role that will be applied for the user or group.
  6. Check the "Propagate to children" if needed.
  7. Click "OK".
  8. The newly added permission will now show in the "Permissions" section for the object.

Additional Information

This is for VMware Cloud on AWS SDDCs that are at version 1.7 or newer.