Organization VDC Permissions in vCloud Director

Update 14/04/2020: This feature is available in the Cloud Director UI from version 10.1.

As of vCloud Director 8.10 it is possible for the tenant Organization Administrator to control access to Organization VDCs. This enables the following use case:

  • In one Organization there are multiple Org VDCs belonging to different business units. Each Org VDC has its own Organization VDC administrator (from the business unit) who can manage Org VDC resources (networks, Edge Gateways) in his Organization VDC but does not see VDCs of other business unit.

The capability is currently available only with vCloud API. There are also four new related user rights that system administrator can use to create new roles.

  • Allow Access to All Organization VDCs
  • Edit Access Control List of Organization VDCs
  • View Access Control List of Organization VDCs
  • Implicitly Import User/Group from IdP while Editing VDC ACL

Org VDC Admin Role

Note that I have removed most of Organization and all User rights from the custom Org VDC Admin role which follows the described use case.

In the following example I have two Org VDCs – Production and Test in Organization ACME. The Organization Administrator (acmeadmin) created two Org VDC Admin users – acmeadminprod and acmeadmintest. Now he will create access for each to his corresponding Org VDC.


As was mentioned above, this is done with vCloud API PUT request. First we need to find out Org VDC and user references.

Accept: application/*+xml;version=20.0 x-vcloud-authorization: 3e131f9e3bc240269a7758fdb6c1bf7f

<?xml version="1.0" encoding="UTF-8"?>

<AdminOrg xmlns="" name="ACME" id="urn:vcloud:org:02b433db-0b37-4304-b07b-0717255ec297" href="" type="application/vnd.vmware.admin.organization+xml" xmlns:xsi="" xsi:schemaLocation="">
	<Link rel="down" href="" type="application/vnd.vmware.vcloud.tasksList+xml"/>
	<Link rel="down" href="" type="application/vnd.vmware.vcloud.metadata+xml"/>
		<UserReference href="" name="acmeuser" type="application/vnd.vmware.admin.user+xml"/>
			<UserReference href="" name="acmeadmin" type="application/vnd.vmware.admin.user+xml"/>
			<UserReference href="" name="acmeadmintest" type="application/vnd.vmware.admin.user+xml"/>
			<UserReference href="" name="acmeadminprod" type="application/vnd.vmware.admin.user+xml"/>
		<Vdc href="" name="Test" type="application/vnd.vmware.vcloud.vdc+xml"/>
		<Vdc href="" name="Production" type="application/vnd.vmware.vcloud.vdc+xml"/>

Now we can construct PUT request for each Org VDC to assign user access:

Test Org VDC


Accept: application/*+xml;version=20.0
x-vcloud-authorization: 3e131f9e3bc240269a7758fdb6c1bf7f
Content-type: application/vnd.vmware.vcloud.controlAccess+xml

<?xml version="1.0" encoding="UTF-8"?>
<ControlAccessParams xmlns="">
			<Subject href="" name="acmeadmintest" type="application/vnd.vmware.admin.user+xml"/>

Production Org VDC


Accept: application/*+xml;version=20.0
x-vcloud-authorization: 3e131f9e3bc240269a7758fdb6c1bf7f
Content-type: application/vnd.vmware.vcloud.controlAccess+xml

<?xml version="1.0" encoding="UTF-8"?>
<ControlAccessParams xmlns="">
			<Subject href="" name="acmeadminprod" type="application/vnd.vmware.admin.user+xml"/>

Now we can log in as each Org VDC Administrator and verify that we see only one Org VDC:

User acmeadminprod can see only Org VDC Production:

Prod Org VDC

User acmeadmintest can see only Org VDC Test:

Test Org VDC

As both Org VDCs were set as private the Organization Administrator will now have to explicitly enable access for regular users to each Org VDC with the same PUT request. There is maximum of 200 user/group references per Org VDC.


51 thoughts on “Organization VDC Permissions in vCloud Director

  1. Tom, I’m interested in implementing something like this in a portal I’m currently working on.

    My current design is similar to what you have. I have the following roles:

    Org Admin – Full permissions
    VDC Admin – Full permissions within 1 VDC (can create users)
    User – Read only access

    The problem I’m running into with your approach is that when a VDC Admin creates a user, it doesn’t have access to the VDC unless the Org Admin grants permissions.

    Is there anyway around this?

  2. Hello Tomas, in version vCloud Director 9 isolated VDC admin can see all organization networks (not shared) in Tenant Portal. In flash gui – only assigned VDC networks. How can I fix it?

  3. I’m trying to accomplisch the following. We are using SAML for authentication. We publish the group accosiated with the user, and in vCloud we have this group linked to a role.

    We have one Org with multiple VDC’s. One department which currently has two users, but may extend in the future should only to have access to one VDC. All other users which may access all VDC’s within this org.

    – Can I configure accesscontrol so it uses groups in stead of users? (Because future SAML users are not known yet, and they require to logon once in order to set access control in vCloud.)
    – Block this group/users to other VDC’s? Otherwise i need to selective set rights on the VDC’s which may be accessed by the other users. And his requires a lot of work when a VDC is added.
    – Any other thougts I can accoplish the above with the least administrative overheid when users and vdc’s are added.

    1. I would recommend looking into organization association. User will have access to multiple organizations and have different roles there. So this will give you more granular VDC role based management. The new HTML5 UI provides unified view of all VDCs across associated organizations.

      1. As it seems the controlAccess allows the use of groups. I have created two groups, one for everyone else, and one for the particular group of users for their own VDC. Have set that group to controlAccess of that VDC. And on all other VDC’s I have set controlAccess of the other user group. This way it’s flexible. I only need to add the group to the VDC accessControl when adding a new VDC. When users enter/leave the group they inheret the permissions from the group.

  4. Hi Tomas,

    Is there a way in vCD 9.5 to give a single user different permission on 2 OrgVDCs? I am looking to have a single Org with 2 VDCs. The user will have read only and console access on one VDC and admin rights on the 2nd VDC. Is this possible or do i need to create 2 Orgs each with a single VDC? My hope is that i can use a single org so that the customer does not need 2 log ins.


    1. Not directly. But you can create 2 organizations, associate them and create Org VDC in each. Add the same user to both orgs and then give him different role on each. The user will see both Org VDCs in single pane (H5 tenant UI), but will have different permissions in each.

  5. Hi Tomas,

    great entry. I have been tinkering with it, but I have been unable to see how you could prevent an organization admin from creating new users (or importing them from IdP) in his organization. I mean: once you have “Administrator Control”, that includes creating and importing users/groups. Is there a way to remove that permission, so that tenants cannot manage that?



      1. I was referring specifically to user management (i.e. possibility of adding/removing/importing users). “Unfortunately”, we stick to CRD 2.5, with vCD 9.1, and I was wondering if the API could be used to restrict thins, since the UI does not allow for that (is that possible then in vCD 9.5)?

        1. Thanks for the suggestion… that effectively forbids user creation, but also user view and disabling. It might probably do for our use case, anyway, although I hope that more granularity is added in future versions. Thanks again!

  6. tom, can 2 users be assigned to the same orgvdc and a different user to another orgvdc? i tried and it seems as soon as i set second user it wipes the first

      1. Hello Tomas, thank you
        Saw this “Data Centers tab, Sharing section all the way at the bottom of the left column under Settings sub section.” Any possibility to share screenshots ?

      2. Hello,

        Org VDC shared to user but user can’t access the edge to create routed network :
        “No edge found” “[ 7edbf114-2dad-4f79-8d1b-397bac527658 ] This operation is denied.”
        Any idea on permissions needed ?

        Thanks a lot

          1. ‘view gateway’ is permitted but operation is denied. Any idea ?
            Setup is :
            1 org with org admin
            VDC1 with user1
            VDC2 with user2
            Each user can only access to his VDC

  7. Hello Tomas,
    I would like to give a console access only to a user in a spesific VM. is it possible with vCD 10?
    I have a Org and org vdc which contains 1 vAPP and 10 VMs. I would like to create 10 different users and every user must see only 1 VM console. Is this possible?

  8. Hi,
    are there any restrictions on publish right bundles?
    If rights are given to 26-27-28 tenants, then they are not applied or are removed from the last three and are appointed by three new ones.

  9. the problem is that the rights for the org admin fly off when you want to assign more than 25 and there is a problem for this, the tenant breaks the ssl vpn tab.

  10. curl -k –location –request PUT ‘’ \
    –header ‘Content-type: application/vnd.vmware.vcloud.controlAccess+xml’ \
    –header ‘Accept: application/*+xml;version=34.0’ \
    –header ‘Authorization: Bearer REPLACED’ \
    –header ‘Cookie: vcloud_jwt=REPLACED; vcloud_session_id=REPLACED’ \
    -d @njedgenjitadmin.xml

    cat njedgenjitadmin.xml



    gives me “stackTrace=” HTTP 415 Unsupported Media Type” OR majorErrorCode=”415″ message=”Unsupported Media Type” minorErrorCode=”UNSUPPORTED_MEDIA_TYPE”

  11. In 10.1 – where in the UI is it available or maybe a better question – How?

    !0.1 doesnt seem to clearly mark how this is done. Any guidance would be appreciated!

  12. I see this works between Org VDC’s but what if I want to create a Super Org Administrator? Some kind of reseller who can access all his individual Organizations?

  13. Hi Tomas,
    We are working to create an API admin role but are running into an issue with giving them the rights to create and modify an org’s edge(s). One of the commandlet specified is ‘new-OrgVdcNetwork” and they are getting a permissions error that points us to the AIP Admin needing “provider admin” rights. We do not want to give them provider admin rights, just the ability to modifty\create edges. What rights would they need for this on VCD 10.2.2 I know its an old forum but any help is much apprichiated.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.