Private cloud VMware vCenter permission model

Google Cloud VMware Engine retains full administrative access to your private cloud environment. You are granted sufficient administrator privileges to deploy and manage the virtual machines (VMs) in your environment. If needed, you can temporarily elevate your privileges to perform advanced administrative functions.

CloudOwner user

When you create a private cloud, a default user, CloudOwner@gve.local is created in the vCenter Single Sign-On domain and given Cloud-Owner-Role access to manage objects in the private cloud. This user can set up additional vCenter Identity Sources and other users in the private cloud vCenter.

vCenter user groups

When you deploy a private cloud, a group called Cloud-Owner-Group is created. Users in this group can administer various aspects of the vSphere environment on the private cloud. This group is automatically given Cloud-Owner-Role privileges, and the CloudOwner user is added as a member of this group.

Google creates additional groups with limited privileges for ease of management. You can add any user to these pre-created groups, and this automatically assigns the corresponding privileges to the user.

Pre-created vCenter user groups

Group name Purpose Role
Cloud-Owner-Group Members of this group have administrator privileges to the private cloud vCenter Cloud-Owner-Role
Cloud-Global-Cluster-Admin-Group Members of this group have administrator privileges on the private cloud vCenter Cluster Cloud-Cluster-Admin-Role
Cloud-Global-Storage-Admin-Group Members of this group can manage storage on the private cloud vCenter Cloud-Storage-Admin-Role
Cloud-Global-Network-Admin-Group Members of this group can manage network and distributed port groups on the private cloud vCenter Cloud-Network-Admin-Role
Cloud-Global-VM-Admin-Group Members of this group can manage VMs on the private cloud vCenter Cloud-VM-Admin-Role

To grant an individual user permissions to manage the private cloud, create a user account and add it to the appropriate groups. You can also create additional user groups to enable access control for the users of private cloud vCenter.

List of vCenter privileges for default roles

Cloud-Owner-Role

Category Privilege
Alarms

Acknowledge alarm

Create alarm

Disable alarm action

Modify alarm

Remove alarm

Set alarm status

Permissions Modify permission
Content library

Add library item

Create local library

Create subscribed library

Delete library item

Delete local library

Delete subscribed library

Download files

Evict library item

Evict subscribed library

Import storage

Probe subscription information

Read storage

Sync library item

Sync subscribed library

Type introspection

Update configuration settings

Update files

Update library

Update library item

Update local library

Update subscribed library

View configuration settings

Cryptographic operations

Add disk

Clone

Decrypt

Direct access

Encrypt

Encrypt new

Manage KMS

Manage encryption policies

Manage keys

Migrate

Recrypt

Register VM

Register host

dvPort group

Create

Delete

Modify

Policy operation

Scope operation

Datastore

Allocate space

Browse datastore

Configure datastore

Low-level file operations

Move datastore

Remove datastore

Remove file

Rename datastore

Update VM files

Update VM metadata

ESX Agent Manager

Config

Modify

View

Extension

Register extension

Unregister extension

Update extension

External stats provider

Register

Unregister

Update

Folder

Create folder

Delete folder

Move folder

Rename folder

Global

Cancel task

Capacity planning

Diagnostics

Disable methods

Enable methods

Global tag

Health

Licenses

Log event

Manage custom attributes

Proxy

Script action

Service managers

Set custom attribute

System tag

Health update provider

Register

Unregister

Update

Host > Configuration Storage partition configuration
Host > Inventory Modify cluster
vSphere tagging

Assign or unassign vSphere tag

Create vSphere tag

Create vSphere tag category

Delete vSphere tag

Delete vSphere tag category

Edit vSphere tag

Edit vSphere tag category

Modify UsedBy field for category

Modify UsedBy field for tag

Network

Assign network

Configure

Move network

Remove

Performance Modify intervals
Host profile View
Resource

Apply recommendation

Assign vApp to resource pool

Assign VM to resource pool

Create resource pool

Migrate powered off virtual machine

Migrate powered on virtual machine

Modify resource pool

Move resource pool

Query vMotion

Remove resource pool

Rename resource pool

Scheduled task Create tasks

Modify task

Remove task

Run task

Sessions

Impersonate user

Message

Validate session

View and stop sessions

Datastore cluster Configure a datastore cluster
Profile-driven storage

Profile-driven storage update

Profile-driven storage view

Storage views

Configure service

View

Tasks

Create task

Update task

Transfer service Manage

Monitor

vApp

Add VM

Assign resource pool

Assign vApp

Clone

Create

Delete

Export

Import

Move

Power off

Power on

Rename

Suspend

Unregister

View OVF environment

vApp application configuration

vApp instance configuration

vApp managedBy configuration

vApp resource configuration

VRMPolicy

Query VRMPolicy

Update VRMPolicy

Virtual machine > Configuration

Add existing disk

Add new disk

Add or remove device

Advanced

Change CPU count

Change resource

Configure managedBy

Disk change tracking

Disk lease

Display connection settings

Extend virtual disk

Host USB device

Memory

Modify device settings

Query fault tolerance compatibility

Query unowned files

Raw device

Reload from path

Remove disk

Rename

Reset guest information

Set annotation

Settings

Swapfile placement

Toggle fork parent

Unlock VM

Upgrade VM compatibility

Virtual machine > Guest operations

Guest operation alias modification

Guest operation alias query

Guest operation modifications

Guest operation program execution

Guest operation queries

Virtual machine > Interaction

Answer question

Backup operation on VM

Configure CD media

Configure floppy media

Console interaction

Create screenshot

Defragment all disks

Device connection

Drag and drop

Guest operating system management by VIX API

Inject USB HID scan codes

Pause or Unpause

Perform wipe or shrink operations

Power off

Power on

Record session on VM

Replay session on VM

Reset

Resume fault tolerance

Suspend

Suspend fault tolerance

Test failover

Test restart secondary VM

Turn off fault tolerance

Turn on fault tolerance

VMware tools installation

Virtual machine > Inventory

Create from existing

Create new

Move

Register

Remove

Unregister

Virtual machine > Provisioning

Allow disk access

Allow file access

Allow read-only disk access

Allow VM download

Allow VM files upload

Clone template

Clone VM

Create template from VM

Customize

Deploy template

Mark as template

Mark as VM

Modify customization specification

Promote disks

Read customization specifications

Virtual machine > Service configuration

Allow notifications

Allow polling of global event notifications

Manage service configurations

Modify service configuration

Query service configurations

Read service configuration

Virtual machine > Snapshot management

Create snapshot

Remove snapshot

Rename snapshot

Revert to snapshot

Virtual machine > vSphere replication

Configure replication

Manage replication

Monitor replication

vService

Create dependency

Destroy dependency

Reconfigure dependency configuration

Update dependency

Cloud-Cluster-Admin-Role

Category Privilege
Datastore

Allocate space

Browse datastore

Configure datastore

Low-level file operations

Remove datastore

Rename datastore

Update VM files

Update VM metadata

Folder

Create folder

Delete folder

Move folder

Rename folder

Host > Configuration Storage partition configuration
vSphere tagging

Assign or unassign vSphere tag

Create vSphere tag

Create vSphere tag category

Delete vSphere tag

Delete vSphere tag category

Edit vSphere tag

Edit vSphere tag category

Modify UsedBy field for category

Modify UsedBy field for tag

Network Assign network
Resource

Apply recommendation

Assign vApp to resource pool

Assign VM to resource pool

Create resource pool

Migrate powered off VM

Migrate powered on VM

Modify resource pool

Move resource pool

Query vMotion

Remove resource pool

Rename resource pool

vApp

Add VM

Assign resource pool

Assign vApp

Clone

Create

Delete

Export

Import

Move

Power off

Power on

Rename

Suspend

Unregister

View OVF environment

vApp application configuration

vApp instance configuration

vApp managedBy configuration

vApp resource configuration

VRMPolicy

Query VRMPolicy

Update VRMPolicy

Virtual machine > Configuration

Add existing disk

Add new disk

Add or remove device

Advanced

Change CPU count

Change resource

Configure managedBy

Disk change tracking

Disk lease

Display connection settings

Extend virtual disk

Host USB device

Memory

Modify device settings

Query fault tolerance compatibility

Query unowned files

Raw device

Reload from path

Remove disk

Rename

Reset guest information

Set annotation

Settings

Swapfile placement

Toggle fork parent

Unlock VM

Upgrade VM compatibility

Virtual machine > Guest operations

Guest operation alias modification

Guest operation alias query

Guest operation modifications

Guest operation program execution

Guest operation queries

Virtual machine > Interaction

Answer question

Backup operation on VM

Configure CD media

Configure floppy media

Console interaction

Create screenshot

Defragment all disks

Device connection

Drag and drop

Guest operating system management by VIX API

Inject USB HID scan codes

Pause or unpause

Perform wipe or shrink operations

Power off

Power on

Record session on VM

Replay session on VM

Reset

Resume fault tolerance

Suspend

Suspend fault tolerance

Test failover

Test restart secondary VM

Turn off fault tolerance

Turn on fault tolerance

VMware tools install

Virtual machine > Inventory

Create from existing

Create new

Move

Register

Remove

Unregister

Virtual machine > Provisioning

Allow disk access

Allow file access

Allow read-only disk access

Allow VM download

Allow VM files upload

Clone template

Clone VM

Create template from VM

Customize

Deploy template

Mark as template

Mark as VM

Modify customization specification

Promote disks

Read customization specifications

Virtual machine > Service configuration

Allow notifications

Allow polling of global event notifications

Manage service configurations

Modify service configuration

Query service configurations

Read service configuration

Virtual machine > Snapshot management

Create snapshot

Remove snapshot

Rename snapshot

Revert to snapshot

Virtual machine > vSphere Replication

Configure replication

Manage replication

Monitor replication

vService

Create dependency

Destroy dependency

Reconfigure dependency configuration

Update dependency

Cloud-Storage-Admin-Role

Category Privilege
Datastore

Allocate space

Browse datastore

Configure datastore

Low-level file operations

Remove datastore

Rename datastore

Update VM files

Update VM metadata

Host > Configuration Storage partition configuration
Datastore cluster Configure a datastore cluster
Profile-driven storage

Profile-driven storage update

Profile-driven storage view

Storage views

Configure service

View

Cloud-Network-Admin-Role

Category Privilege
dvPort group

Create

Delete

Modify

Policy operation

Scope operation

Network

Assign network

Configure

Move network

Remove

Virtual machine > Configuration Modify device settings

Cloud-VM-Admin-Role

Category Privilege
Datastore

Allocate space

Browse datastore

Network Assign network
Resource

Assign VM to resource pool

Migrate powered off VM

Migrate powered on VM

vApp

Export

Import

Virtual machine > Configuration

Add existing disk

Add new disk

Add or remove device

Advanced

Change CPU count

Change resource

Configure managedBy

Disk change tracking

Disk lease

Display connection settings

Extend virtual disk

Host USB device

Memory

Modify device settings

Query fault tolerance compatibility

Query unowned files

Raw device

Reload from path

Remove disk

Rename

Reset guest information

Set annotation

Settings

Swapfile placement

Toggle fork parent

Unlock VM

Upgrade VM compatibility

Virtual machine > Guest operations

Guest operation alias modification

Guest operation alias query

Guest operation modifications

Guest operation program execution

Guest operation queries

Virtual machine > Interaction

Answer question

Backup operation on VM

Configure CD media

Configure floppy media

Console interaction

Create screenshot

Defragment all disks

Device connection

Drag and drop

Guest operating system management by VIX API

Inject USB HID scan codes

Pause or unpause

Perform wipe or shrink operations

Power off

Power on

Record session on VM

Replay session on VM

Reset

Resume fault tolerance

Suspend

Suspend fault tolerance

Test failover

Test restart secondary VM

Turn off fault tolerance

Turn on fault tolerance

VMware tools install

Virtual machine > Inventory

Create from existing

Create new

Move

Register

Remove

Unregister

Virtual machine > Provisioning

Allow disk access

Allow file access

Allow read-only disk access

Allow VM download

Allow VM files upload

Clone template

Clone VM

Create template from VM

Customize

Deploy template

Mark as template

Mark as VM

Modify customization specification

Promote disks

Read customization specifications

Virtual machine > Service configuration

Allow notifications

Allow polling of global event notifications

Manage service configurations

Modify service configuration

Query service configurations

Read service configuration

Virtual machine > Snapshot management

Create snapshot

Remove snapshot

Rename snapshot

Revert to snapshot

Virtual machine > vSphere replication

Configure replication

Manage replication

Monitor replication

vService

Create dependency

Destroy dependency

Reconfigure dependency configuration

Update dependency

What's next