VMware Cloud Director has a variety of ways to assign permissions. As a Service Provider(Cloud Provider), you have numerous options when it comes to giving tenants access to VMware Cloud Director (VCD) features. There are:
Rights - provide view or manage access to a particular object type in VMware Cloud Director and belong to different categories depending on the objects to which they relate such as vApp, Catalog, or an Organization
Roles - a collection of rights for a User and defines what an individual user has access to
Rights Bundles - a collection of rights for the tenant Organization as a whole and defines what a tenant Organization has access to
Various Rights are common to multiple predefined Global Roles. These Rights are granted by default to all new organizations, and are available for use in other Roles created by the tenant Оrganization Аdministrator. There are some predefined Roles for both Provider and Tenant explained in the VMware documentation: https://docs.vmware.com/en/VMware-Cloud-Director/10.3/VMware-Cloud-Director-Service-Provider-Admin-Portal-Guide/GUID-BC504F6B-3D38-4F25-AACF-ED584063754F.html.
Service Provider(SP) System Administrator
The System Administrator role exists only in the provider organization.
As a Service Provider(SP) you will have roles for vSphere vCenter as well as VMware Cloud Director(VCD).
vCenter/NXT/AVI Infrastructure System Administrator: Manages physical infra for vCenter, NXT network fabric, AVI load balancers (D2IQ SRE / Service provider(OVH cloud))
System Administrator - Provider(SP) : Manages Virtual infra in VCD that uses vCenter(s), NXT(s), AVI(s) etc. (D2IQ SRE)
Organization(Tenant) Administrator: Manages Virtual infra (org, orgvdc, network, catalogs, templates, users etc) for a tenant. Users that can create k8s cluster
Through the VMware Cloud Director(VCD) Service Provider Admin Portal, the SP can add System Administrators for Cloud Director and see the predefined list of rights included in any role. The System Administrator manages the virtual infrastructure in VCD that uses vCenter(s), NXT(s), AVI(s) and other components of the VCD environment.
Also, refer to Managing System Administrator and Roles documentation from the VMware documentation site.
Organization(Tenant ) Administrator
As an Organization Administrator, from the tenant portal you can create, edit, import, and delete users. The tenant Organization Administrator manages the virtual infrastructure that includes the organization itself which includes the related network, catalogs, templates and such for the Tenant Organization. Important predefined role information is below:
vApp Author role can use catalogs and create vApps
A tenant Organization Administrator can access roles if allowed. They can only view the global tenant roles that a System Administrator has published to the organization, but cannot modify them. The Organization Administrator can create custom tenant roles with similar rights and assign them to the users within their own tenant Organization.
There are some predefined Global Tenant Roles as well which are explained in the VMware documentation: https://docs.vmware.com/en/VMware-Cloud-Director/10.3/VMware-Cloud-Director-Service-Provider-Admin-Portal-Guide/GUID-BC504F6B-3D38-4F25-AACF-ED584063754F.html as well as the https://docs.vmware.com/en/VMware-Cloud-Director/10.3/VMware-Cloud-Director-Service-Provider-Admin-Portal-Guide/GUID-AE42A8F6-868C-4FC0-B224-87CA0F3D6350.html.
Tenant Roles and Rights
Several predefined global tenant roles are described in the VMware documentation regarding which components they can access and change. User rights may be available to a role, but a rights bundle needs to be published to a tenant Organization in order for those user role permissions to work.
Create a Tenant Role that uses all these Rights.
The SP should publish these to tenant Organizations that need to create clusters. Assign the Tenant Role to a VCD user and then create an API Token. The API token will be used in the DKP CLI commands to authenticate the CLI to vCenter. They will assign the Role to a VCD User, create an API Token, and pass the Token to the DKP CLI.
The CAPVCD provider uses a related component called CSE. Some of the permissions necessary to create a VCD cluster are defined using this component. Note that the term Role Based Access Control (RBAC) used in the CSE documentation refers ONLY to the VCD rights and permissions necessary to perform lifecycle management of Kubernetes clusters using VCD. It has no impact on the RBAC configuration of any clusters created using VCD
Role Based Access Control (RBAC) from GitHub - The RBAC in that page refers to the roles and rights required for the tenants to perform the life cycle management of Kubernetes clusters. It does not have anything to do with the RBAC inside the Kubernetes cluster itself.