Commander Roles and Permissions
A Commander role is a set of permissions that determine what users can do in the Admin Portal console and what tasks they can carry out. The Commander roles are explained below so that you can decide how to assign them to users.
See Add User and Group Accounts and Assigning Roles to learn how to assign roles to administrative users.
See also Examples of Administrative User Account Configuration.
Overview of Commander roles
| Role | What the Role Can Do | Assign To |
|---|
Superuser | The Superuser role has access to all functionality within the Admin Portal. Used primarily when Commander is first installed, the superuser role permits configuration of all of the tasks in the table below. Commander comes configured with a default superuser account. This default account has administrator access rights on all cloud accounts added to the Admin Portal. Any other superuser account created by the default superuser account automatically has full permissions, but you must configure access rights. | Users who need access to all the functionality of the Admin Portal plus all the permissions available for working with cloud accounts. |
Enterprise Admin | The Enterprise Admin role can configure global policy, custom attributes, VM groups, and user accounts. This role can also access Support resources under Help > Support. | Users who need access to the day-to-day administrative functions of the Admin Portal with the exception of those functions reserved for the superuser. |
Auditor | The Auditor role has read-only access to the Admin Portal. | Users who require read-only access to view information about your virtual infrastructure, including reports. |
User | The User role has no privileges to set or change values in the Admin Portal. | Users who carry out normal administrative or operational functions on VMs. |
Reporter | The Reporter role allows a new user to generate reports. This role has only read-only access to the Admin Portal and can't make any configuration changes or view sensitive configuration information. A user with a Reporter role may only be assigned an access level of Auditor. Reporter role users can't access...- Configuration menu
- Recommendations
- Service Requests page
- Workflow pages
- Storage view
- Organization information — Information for other organizations isn't accessible, and organization filters aren't available in reports.
- Reports that are not available include:
- Activity
- Service Fulfillment
| Users who require read-only access to view Commander Solutions pages and generate reports. The Reporter role can only be assigned to a new user. When a user is created with a Reporter role, their role can't be changed later, and they can't be assigned any other role. By default, this role isn't available to assign to users. To make the Reporter role available, you must set the advanced system property embotics.role.reporter.visible to true. See Advanced Configuration With System Properties for details. |
Permissions required for common Admin Portal tasks roles
The following table shows the tasks you can perform with a Commander role.
In addition to your role, access rights restrict what you can see, search for, and manage. For example, while any user with a Commander role can perform a search and run a built-in report, access rights control what data is returned.
A user can have both a Commander role and a Service Portal role. The only exception is the Reporter role, which is very restrictive. The Reporter role can only be assigned to a new user. In addition, when a user is assigned the Reporter role, they can't be assigned any other role, and their role can't be changed.
Admin Portal Tasks | Superuser | Enterprise Admin | Auditor | User | Reporter |
|---|
Update own account | Yes | Yes | Yes | Yes | Yes |
View information in the Admin Portal | Yes | Yes | Yes | Yes | Yes |
Search for information (search results are based on access rights) | Yes | Yes | Yes | Yes | Yes |
Run, view, print, and share built-in reports (report data is based on access rights) | Yes | Yes | Yes | Yes | Yes |
View organizations | Yes | Yes | Yes | Yes | — |
Make REST calls | Yes | Yes | Yes | Yes | — |
Manage policies | Yes | Yes | — | — | — |
Add, edit, and delete user accounts; assign roles; customize roles; view user account details | Yes | Yes | — | — | — |
Manage non-superuser accounts | Yes | Yes | — | — | — |
Manage organizations | Yes | Yes | —
| — | — |
Configure cloud accounts | Yes | Yes | — | — | — |
Manage organization media | Yes | Yes | — | — | — |
Manage workflows | Yes | Yes | — | — | — |
Configure costing (cost models, historical costs, global costs) | Yes | Yes | — | — | — |
Configure custom attributes | Yes | Yes | — | — | — |
Configure groups (expiry, maintenance, power schedule, and rightsizing groups) | Yes | Yes | — | — | — |
Manage IP pools | Yes | Yes | — | — | — |
Manage network zones | Yes | Yes | — | — | — |
Configure default VM workload | Yes | Yes | — | — | — |
Configure default reserved capacity | Yes | Yes | — | — | — |
Manage the service catalog and forms | Yes | Yes | — | — | — |
Configure email notification for system events | Yes | Yes | — | — | — |
Manage credentials | Yes | Yes | — | — | — |
Manage key pairs | Yes | Yes | — | — | — |
Configure automated deployment destinations | Yes | Yes | — | — | — |
Configure VM rightsizing recommendations | Yes | Yes | — | — | — |
Add, edit and delete folders in the media library | Yes | Yes | — | — | — |
Modify linkages between Kubernetes cluster and underlying infrastructure | Yes | Yes | — | — | — |
Obtain support under Help > Support | Yes | Yes | — | — | — |
Assign access rights | Yes | — | — | — | — |
Configure system properties | Yes | — | — | — | — |
Configure single sign-on | Yes | — | — | — | — |
Override scheduled tasks | Yes | — | — | — | — |
Manage datastore scans | Yes | — | — | — | — |
Restrict service access to specific host or IP | Yes | — | — | — | — |
Configure session timeouts and sign in preferences | Yes | — | — | — | — |
Configure the Service Portal | Yes | — | — | — | — |
Purge the database | Yes | — | — | — | — |
Manage licensing
| Yes | — | — | — | — |
Configure provisioning options | Yes | — | — | — | — |
Manage superuser accounts | Yes | — | — | — | — |