Guidance on creating custom roles in a VMC on AWS SDDC.

VMC on AWS

• The "[email protected]" account and cloudadmin role have the necessary administrative privileges to create and manage workloads.
• Additional users accessing the VMC on AWS SDDC may not require all the privileges associated with the cloudadmin role.
• While creating custom roles in VMC on AWS follows the standard vCenter process, there are some limitations.
• Creation of additional local user accounts is not supported in VMC on AWS SDDCs: [VMC on AWS] Unable to add additional local users

To create a custom role for a VMC on AWS SDDC, follow the standard vCenter process: vCenter Server System Roles

• It is recommended to clone the cloudadmin role during creation instead of creating a completely new role.
• Remove the privileges that are not required for the custom role after creation.
• When modifying a custom role cloned from cloudadmin, do not add additional privileges as this will make the custom role unusable.
• Do not add privileges not applied to the default cloudadmin role if creating a completely new role as this will also make the custom role unusable.
• If a custom role has been created but cannot be assigned, modified, or deleted, please follow this process to have the custom role fixed: [VMC on AWS] "Not enough privileges to execute this action" when using a custom role

• vSphere Permissions and Privileges in VMware Cloud on AWS
• Best Practices for vCenter Server Roles and Permissions
• Managing Permissions for vCenter Components