In the VMware Cloud Service, you will want to add Users and Groups that adhere to your organization's governance model.  The purpose is to further define your access control and to enhance overall security. The best practice is to organize your users into groups so that you designate which users get access to the appropriate resources. From the VMware Cloud Services console navigate to the Identity & Access Management section. see sub-sections for Active Users and Groups.  The below content will provide guidance and help to further define each segment.

Roles in VMware Cloud Services

For services in the VMware Cloud Services platform, the organization provides two roles, owner and member. As an organization owner, you can specify the roles of members in your organization, both at the organizational level and at the service level. For the Tanzu Mission Control service, there are two service roles:

• Service Member

  This role provides typical service usage permissions for most members of your organization.

• Service Admin

  This role provides additional permissions for administrators of the service in your organization.

As an organization owner, you can also invite additional members to your organization, and specify the organization and service roles in the invitations that you send out. For information about assigning roles in VMware Cloud Services and inviting users to join your organization, see Identity & Access Management in the Using VMware Cloud documentation.
 

Best Practices for Assigning Roles

When assigning roles, consider the following best practice guidelines.

• Use groups in role bindings rather than individual identities.

• Assign only the roles that grant the permissions necessary for members to perform their function within the organization.

• Use the .admin role judiciously and sparingly. The .admin role allows full root access to all of the resources and policies of an object, and recursively for its child objects, from within Tanzu Mission Control and also directly in the cluster.
   

Roles in Tanzu Mission Control

Tanzu Mission Control controls access on managed clusters by allowing users to define their own access policy. Access policies allow you to control the permissions granted to the users of Tanzu Mission Control in your organization. Each object in your organizational hierarchy has an access policy where you can specify permissions using role bindings that associate a role with an identity. 

Please visit the documentation here

Tanzu Mission Control supports the following roles:

• .admin - Grants full root-level access to the object, including permission to see and edit policies.
• .edit - Grants permission to edit the object, and create and delete child objects.
• .view - Grants permission to see the object and its resources and child objects.
• .credential.admin - Grants permission to create and edit connections to cloud provider accounts.
• .credential.view- Grants permission to see and use connections to cloud provider accounts

ACCESS CONTROL

Use access policies to implement role-based access control (RBAC) for the users and resources in your organization.

For a manageable security posture, VMware Tanzu Mission Control allows you to secure the resources in your organization with access policies that govern the users and groups that can see and edit them. This section discusses access policies; see Users and Groups for more information about combining users into manageable groups.

• clusters groups
• clusters
• workspaces
• namespaces
• ability to login
• privileges
• resource groups