Assign Access Rights to Administrative Users
After you have added administrative users with Commander roles, assign access rights to your cloud infrastructure. You can assign access rights to:
- Restrict which parts of your cloud infrastructure that each administrative user can access.
- Allow administrative users to carry out a specific set of commands on specific cloud accounts or datacenters.
- Control visibility of events, tasks, and alerts.
Access rights can't be assigned to a user who only has a Service Portal role.
Even when you have restricted your users' access to infrastructure elements that contain a number of sockets equal to or less than your licensed amount, Commander will see all of the sockets available for the entire cloud account. If this amount is higher than the amount for which you purchased licensing, you will receive warnings about exceeding your license. These warnings appear whenever a Commander user logs into the system, but they are not shown to Service Portal users. If you have questions about your license and its enforcement, contact your account manager.
Levels of access rights
The six levels of access rights that can be assigned to users with Commander roles are:
- Administrator
- Operator with approval
- Operator
- Operator without deploy/clone (non-provisioning operator)
- Approver
- Auditor
Allowed actions for each level of access rights
The following table shows all of the tasks that can be performed with each level of access rights. Remember that access rights restrict what you can see, search for, and manage. For example, when performing a search, your access rights determine what search results will be returned. Some of these tasks also require a particular role.
All of these tasks require some level of access rights; tasks that don't require access rights don't appear in this table.
Allowed Actions for Each Level of Access Rights
| Action | Administrator | Operator with Approval | Operator | Operator without Deploy/Clone | Approver | Auditor |
|---|
Infrastructure & Monitoring
|
View all events, tasks and alerts
| Yes
| Yes
| Yes
| Yes
| Yes
| Yes |
View cloud infrastructure elements (such as VMs and virtual services ) | Yes | Yes | Yes | Yes | Yes | Yes |
Cancel own tasks | Yes | Yes | Yes | Yes | Yes | Yes |
Cancel the tasks of others | Yes | —
| —
| —
| —
| —
|
Create, edit and delete scheduled tasks | Yes | Yes | Yes
| Yes
| Yes
| Yes |
Rename infrastructure elements
| Yes
| — | —
| —
| —
| —
|
View linkages between Kubernetes clusters and underlying infrastructure
(Also requires some level of access rights for the underlying cloud account) | Yes
| Yes
| Yes
| Yes
| Yes
| Yes
|
Modify linkages between Kubernetes and underlying infrastructure
(Also requires some level of access rights for the underlying cloud account) | Yes
| Yes | Yes | Yes | — | — |
Reporting & Searching
|
Search, sort, filter, report on and export information. Note: While any user with a Commander role can perform a search and run a built-in report, access rights control what data is returned. | Yes
| Yes
| Yes
| Yes
| Yes
| Yes
|
View and filter Solutions pages
Note: While any user with a Commander role can perform a search and run a built-in report, access rights control the data that's returned. | Yes
| Yes
| Yes
| Yes
| Yes
| Yes
|
VM Connections |
Open a connection to a VM | Yes | Yes | Yes
| Yes
| — | — |
Configure console credentials for a cloud account | Yes | — | — | — | — | — |
Manage key pairs
| Yes
| Yes
| Yes
| Yes
| — | — |
View VM console with a screenshot | Yes | Yes | Yes | Yes
| — | — |
VM Management |
View VM lineage | Yes | Yes | Yes | Yes
| Yes
| Yes |
Compare VMs
| Yes
| Yes
| Yes
| Yes
| — | — |
Start, stop, reset/reboot or suspend services; edit the start order of virtual services | Yes | Yes
| Yes
| Yes
| — | — |
Manage VM snapshots | Yes | Yes
| Yes
| Yes
| — | — |
Add, edit and delete folders in media library
| Yes
| Yes
| Yes
| Yes
| — | — |
Upload and delete files in media library
| Yes
| Yes
| Yes
| — | — | — |
Manage connected media | Yes
| Yes
| Yes
| — | — | — |
View guest operating system disk usage | Yes
| Yes
| Yes
| Yes
| — | — |
Quarantine a VM and remove from quarantine
| Yes
| Yes
| — | — | — | — |
Scan datastore files
| Yes
| Yes
| Yes
| Yes
| — | — |
Remove VMs and vApps from inventory, manage other files on disk, delete unlinked or orphaned files from disk
| Yes
| Yes
| Yes
| Yes
| — | — |
Delete services from disk, including VMs, virtual services, load balancers, databases auto scaling groups and application stacks
| Yes
| Yes
| Yes
| Yes
| — | — |
Service Metadata
|
Set tag compliance data for services | Yes | Yes | Yes | Yes | — | — |
Set approval state for services | Yes
| Yes | — | — | Yes | — |
Apply custom attributes | Yes | Yes | Yes
| Yes | — | — |
Set service ownership | Yes | Yes | Yes
| Yes | — | — |
Set End of Life and Suspect states on VMs | Yes | Yes | Yes | Yes | — | — |
Set expiry group and expiry date | Yes
| Yes | Yes | Yes | — | — |
Set maintenance group | Yes | Yes | Yes
| Yes | — | — |
Cloud Accounts, Hosts, Datastores and Networks |
Set storage tiers for datastores and datastore clusters | Yes | — | — | — | — | — |
Scan datastores | Yes | Yes | Yes | Yes | — | — |
Configure host credentials | Yes | — | — | — | — | — |
Reconnect cloud account
| Yes | Yes | Yes | Yes | — | — |
Remove cloud account
| Yes | — | — | — | — | — |
Synchronize inventory | Yes | Yes | Yes | Yes | — | — |
Retrieve historical events | Yes | — | — | — | — | — |
Select EC2 regions for display
| Yes
| — | — | — | — | — |
Assign zones to networks
| Yes | — | — | — | — | — |
Policy |
View policies
| Yes
| Yes
| Yes
| Yes
| Yes
| Yes
|
Subscribe to policy alerts
| Yes
| Yes
| Yes
| Yes
| Yes
| Yes
|
Create, edit and delete policies
| Yes
| — | — | — | — | — |
Set power schedule for existing VMs
| Yes
| Yes
| Yes
| Yes
| — | — |
Set power schedule for new VMs
| Yes
| — | — | — | — | — |
Workflows |
Run command workflow | Yes | — | — | — | — | — |
Schedule command workflow
| Yes | — | — | — | — | — |
Track workflow status
| Yes | Yes | Yes
| Yes | Yes | Yes |
Provisioning |
Clone and deploy VMs and virtual services
| Yes
| Yes | Yes | — | — | — |
Convert VMs to templates
| Yes
| Yes
| Yes
| — | — | — |
Migrate VMs
| Yes
| Yes
| Yes
| — | — | — |
Service Request Management
|
Make, track and comment on service requests | Yes
| Yes
| Yes
| Yes
| Yes
| Yes
|
View requests awaiting your approval
| Yes
| — | — | — | — | — |
Approve and reject requests
| Yes
| Yes
| Yes
| — | — | — |
Deploy requested service or component
| Yes
| Yes
| Yes
| — | — | — |
Fulfill change request
| Yes
| Yes
| Yes
| — | — | — |
Link VM to service request
| Yes
| Yes
| Yes
| — | — | — |
Assign service requests
| Yes
| Yes
| Yes
| — | — | — |
Manually release VM or virtual service after deployment
| Yes
| Yes
| Yes
| — | — | — |
Share VM
| Yes
| Yes
| Yes
| — | — | — |
Capacity |
View host and cluster capacity
| Yes
| — | — | — | — | — |
Include VMs in and exclude VMs from capacity calculations
| Yes
| Yes
| Yes
| — | — | — |
Update capacity information
| Yes
| — | — | — | — | — |
Override default VM workload
| Yes
| Yes
| Yes
| — | — | — |
Override default reserved capacity
| Yes
| Yes
| Yes
| — | — | — |
Performance
|
View VM performance
| Yes
| Yes
| Yes
| Yes
| Yes
| Yes
|
Update VM performance
| Yes
| Yes
| Yes
| Yes
| — | — |
Set rightsizing group for VMs
| Yes
| Yes
| Yes
| Yes
| — | — |
View / search for rightsizing recommendations
| Yes
| Yes | Yes | Yes | Yes | Yes |
Apply, ignore and exclude rightsizing recommendations | Yes | Yes | Yes
| — | — | — |
Manually reconfigure VM resources
| Yes | Yes | Yes | — | — | — |
Assign access rights to administrative users
For each administrative user account, you can assign Commander roles for different access rights to cloud accounts or datacenters.
A higher level of access rights always take precedence over lower levels. For example, if you assign Administrator access rights for a cloud account and then assign Auditor access rights for a datacenter within that cloud account, the user account has Administrator access rights for all datacenters.
Conversely, if you assign Auditor access rights for a cloud account and then assign Administrator access rights on one datacenter within that cloud account, then the user account has Administrator access rights on the specified datacenter and Auditor access rights for the cloud account and all other datacenters in that cloud account.
- You can assign access rights below the cloud account level only for vCenter cloud accounts.
- A user with a Reporter role may only be assigned an access level of Auditor. To display the Reporter role, the
embotics.role.reporter.visible system property must be set to 'True'. Contact customer support before making any changes to a system property. - A user with a Commander Role of Enterprise Admin can manage access rights if
embotics.permission.modifyrole.nonsuperuser is set to 'True'. Contact customer support before making any changes to a system property.
Access: | Configuration > Identity and Access |
Available to: | Commander Role of Superuser and Enterprise Admin Administrator Access Rights |
- Click the Users tab.
- On the Users page, select an administrative user.
- Click Assign Rights.
- From the list, select one or more cloud accounts.
To quickly find a cloud account or datacenter, you can search for it by name.
- (Optional) To assign access rights for a datacenter, select Show datacenters.
The option to show or hide datacenters is only visible when you have datacenters in Commander. By default, if no access rights are assigned to any datacenters, then datacenters are not shown.
- Optional: To assign administrator access rights to all infrastructure resources, select User is administrator on all cloud accounts.
- Click Set Role, and select a role.
- Click OK.