Skip to main content
Skip table of contents

Cloud Director CAPVCD User Rights

CAPVCD requires specific user rights set in order for the tenant Organization to have a Role that can successfully execute DKP clusters, those Rights must be specified. When a DKP workload cluster is created, each machine needs to register with VCD Cloud Provider Interface(CPI) and get node references.

Refer to https://docs.vmware.com/en/VMware-Cloud-Director/10.3/VMware-Cloud-Director-Service-Provider-Admin-Portal-Guide/GUID-816FBBBC-2CDA-4B1D-9B1A-C22BC31B46F2.html for terminology related to Rights and Roles. The remainder of this page describes what the CAPVCD User requires in relation to Rights and Rights Bundles.

CAPVCD User

CAPVCD uses the credential (username/password or API token) of a VCD User to manage the cluster. The VCD Cloud Provider Interface(CPI) and CSI controllers also use the same credential. This same User needs specific API permissions, known as Rights, for the CAPVCD, CPI, and CSI controllers to work correctly. For a User to be granted a Right, the User must be associated with a Role that consumes this Right, meaning the Role grants Rights to the User.

If the User belongs to an Organization, then the Right must also be published by the Provider to the tenant Organization in a Rights Bundle. The Rights Bundle grants Rights to the tenant Organization.

Create the VCD User Required by CAPVCD

CAPVCD requires all the Rights in the default vApp Author Global Role, plus the Rights required by the VCD CPI, the VCD CSI, and some Rights required by CAPVCD itself.

  1. A Provider administrator creates a Rights Bundle that enumerates all the below rights. We recommend the name DKP Cluster Admin for the Rights Bundle.

  2. A Provider administrator creates a Global Role that enumerates all the below rights. We recommend the name DKP Cluster Admin for the Global Role.

  3. A Provider administrator publishes the both the Rights Bundle and Global Role to every Organization that will deploy DKP clusters.

  4. An Organization administrator creates a User, and associates it with the Global Role.

The procedure for Creating a Rights Bundle is found in VMware Documentation: https://docs.vmware.com/en/VMware-Cloud-Director/10.3/VMware-Cloud-Director-Service-Provider-Admin-Portal-Guide/GUID-CFB0EFEE-0D4C-498D-A937-390811F11B8E.html and the steps for creating the Role: https://docs.vmware.com/en/VMware-Cloud-Director/10.3/VMware-Cloud-Director-Service-Provider-Admin-Portal-Guide/GUID-0D991FCF-3800-461D-B123-FAE7CFF34216.html

List of Rights

CAPVCD requires the following Rights:

The majority of the Rights are from the vApp Author Global Role. When independent components, like CAPVCD and CPI, need the same Right, that Right appears in multiple sources.

Below are the lists of the Rights from the above sources as well as Rights required, but not documented by CAPVCD. The last list includes the Rights from all sources, with duplicates removed:

Required by the vApp Author Role

Some Rights appear in more than one source. This list includes the Rights from all sources, with duplicates removed in the final list below:

TEXT
Catalog: Add vApp from My Cloud
Catalog: View Private and Shared Catalogs
Organization vDC Compute Policy: View
Organization vDC Disk: View IOPS
Organization vDC Named Disk: Create
Organization vDC Named Disk: Delete
Organization vDC Named Disk: Edit Properties
Organization vDC Named Disk: View Encryption Status
Organization vDC Named Disk: View Properties
Organization vDC Network: View Properties
Organization vDC: VM-VM Affinity Edit
Organization: View
UI Plugins: View
vApp Template / Media: Copy
vApp Template / Media: Edit
vApp Template / Media: View
vApp Template: Checkout
VAPP_VM_METADATA_TO_VCENTER
vApp: Copy
vApp: Create / Reconfigure
vApp: Delete
vApp: Download
vApp: Edit Properties
vApp: Edit VM Compute Policy
vApp: Edit VM CPU
vApp: Edit VM Hard Disk
vApp: Edit VM Memory
vApp: Edit VM Network
vApp: Edit VM Properties
vApp: Manage VM Password Settings
vApp: Power Operations
vApp: Sharing
vApp: Snapshot Operations
vApp: Upload
vApp: Use Console
vApp: View ACL
vApp: View VM and VM's Disks Encryption Status
vApp: View VM metrics
vApp: VM Boot Options

Additional Rights Required by CAPVCD

TEXT
API Tokens: Manage
Organization vDC Gateway: Configure Load Balancer
Organization vDC Gateway: Configure NAT
Organization vDC Gateway: View
vApp: Allow All Extra Config

Rights Required to List Catalogs (Not Documented by CAPVCD)

These Rights are not documented by CAPVCD, but are required. They allow CAPVCD
to list the Catalogs in the Organization.

CODE
General: Administrator View
Access All Organization VDCs

Implied Rights (Not Documented by CAPVCD)

These Rights are not documented by CAPVCD, but are implied by the documented Rights.

CODE
Certificate Library: View
Organization vDC Gateway: View NAT
Organization vDC Gateway: View Load Balancer

Additional Rights Required by CPI

TEXT
API Tokens: Manage
Organization vDC Gateway: Configure Load Balancer
Organization vDC Gateway: Configure NAT
Organization vDC Gateway: View

Additional Rights Required by CSI

TEXT
API Tokens: Manage
Organization vDC Shared Named Disk: Create
Organization vDC Named Disk: Delete
Organization vDC Named Disk: Edit Properties
Organization vDC Named Disk: View Encryption Status
Organization vDC Named Disk: View Properties

All Sources Merged with Duplicates Removed

TEXT
Access All Organization VDCs
API Tokens: Manage
Catalog: Add vApp from My Cloud
Catalog: View Private and Shared Catalogs
Certificate Library: View
General: Administrator View
Organization vDC Compute Policy: View
Organization vDC Disk: View IOPS
Organization vDC Gateway: Configure Load Balancer
Organization vDC Gateway: Configure NAT
Organization vDC Gateway: View
Organization vDC Gateway: View Load Balancer
Organization vDC Gateway: View NAT
Organization vDC Named Disk: Create
Organization vDC Named Disk: Delete
Organization vDC Named Disk: Edit Properties
Organization vDC Named Disk: View Encryption Status
Organization vDC Named Disk: View Properties
Organization vDC Network: View Properties
Organization vDC Shared Named Disk: Create
Organization vDC: VM-VM Affinity Edit
Organization: View
UI Plugins: View
vApp Template / Media: Copy
vApp Template / Media: Edit
vApp Template / Media: View
vApp Template: Checkout
VAPP_VM_METADATA_TO_VCENTER
vApp: Allow All Extra Config
vApp: Copy
vApp: Create / Reconfigure
vApp: Delete
vApp: Download
vApp: Edit Properties
vApp: Edit VM Compute Policy
vApp: Edit VM CPU
vApp: Edit VM Hard Disk
vApp: Edit VM Memory
vApp: Edit VM Network
vApp: Edit VM Properties
vApp: Manage VM Password Settings
vApp: Power Operations
vApp: Sharing
vApp: Snapshot Operations
vApp: Upload
vApp: Use Console
vApp: View ACL
vApp: View VM and VM's Disks Encryption Status
vApp: View VM metrics
vApp: VM Boot Options

Next Step:

Cloud Director Create Image and Template

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.