An administrator's privileges are scoped by the organization to which the administrator authenticates.

The vCloud API defines two levels of administrative privilege:

Organization administrators, who have administrative privileges in a specific organization.

System administrators, who have superuser privileges throughout the system. System administrators are members of the System organization, and can create, read, update, and delete all objects in a cloud. They have organization administrator rights in all organizations in a cloud, and can operate directly on vSphere resources to create and modify provider VDCs, external networks, network pools, and similar system-level objects.

Some administrative operations, and all vSphere platform operations, are restricted to the system administrator. Before you attempt these operations, log in to the System organization with the user name and password of the system administrator account that was created when vCloud Director was installed. For example, if the system administrator’s user name and password was defined as administrator and Pa55w0rd, the system administrator login credentials are the MIME Base64 encoding of the string administrator@System:Pa55w0rd.

Note

When logging in using a SAML identity provider, the system administrator must use the vSphere SSO Service as the identity provider. See Create a Login Session Using a SAML Identity Provider.

The System organization is created automatically when vCloud Director is installed. Unlike the organizations represented by Org and AdminOrg objects, the System organization cannot contain catalogs, VDCs, groups, or users who are not system administrators.

When a system administrator logs in to the REST API, the OrgList in the returned Session element contains a link to the System organization.

<OrgList ... >
   ...
   <Org
      type="application/vnd.vmware.admin.systemOrganization+xml" 
      name="System" 
      href="https://vcloud.example.com/api/admin/org/123"/>
   ...
</OrgList>