Upon creation, catalogs and vApps grant full access to their owners and no access to other users. The vCloud API access control mechanism enables object owners to retrieve or update these access controls as needed.

To retrieve or update the access controls on a vApp or catalog, use controlAccess links. The controlAccess links for catalogs are included when you retrieve the containing AdminOrg. The controlAccess links for a vApp are included in the VApp element itself.

vCloud Director defines three levels of access:

ReadOnly

The ReadOnly access level grants rights to read or use the object.

Change

The Change access level includes all rights granted by ReadOnly access and grants additional rights to modify the object and its properties.

FullControl

The FullControl access level includes all rights granted by Change access and grants additional rights to change the owner of the object, share it, or delete it.

See Access Rights to vCloud Director Objects for detailed information about the rights granted by each access level.

A Virtual Infrastructure Administrator or vApp owner can control access to a vApp.

Each VApp element includes two types of access control links:

Links where rel="down".

<Link
   rel="down"
   type="application/vnd.vmware.vcloud.controlAccess+xml"
   href="https://vcloud.example.com/api/vApp/vapp-id/controlAccess/"/>

Use this kind of link to retrieve the access control settings for the vApp identified in the href value.

Links where rel="controlAccess".

<Link
   rel="controlAccess"
   type="application/vnd.vmware.vcloud.controlAccess+xml"
   href="https://vcloud.example.com/api/vApp/vapp-id/action/controlAccess/"/>

Use this kind of link to specify new access control settings for the vApp identified in the href value. You specify the new access control settings in a ControlAccessParams element that you post to the URL that the href value of this link specifies. See Update vApp Access Controls for an example.

A Virtual Infrastructure Administrator can control access to a catalog. Each Catalog element includes two types of access control links:

Links where rel="down".

<Link
   rel="down"
   type="application/vnd.vmware.vcloud.controlAccess+xml"
   href="https://vcloud.example.com/api/org/id/catalog/id/controlAccess/"/>

Use this kind of link to retrieve the access control settings for the catalog identified in the href value.

Links where rel="controlAccess".

<Link
   rel="controlAccess"
   type="application/vnd.vmware.vcloud.controlAccess+xml"
   href="https://vcloud.example.com/api/org/id/catalog/id/action/controlAccess/"/>

Use this kind of link to specify new access control settings for the catalog identified in the href value. You specify the new access control settings in a ControlAccessParams element that you post to the URL that the href value of this link specifies.

To specify access controls that apply to all members of an organization, a Virtual Infrastructure Administrator can set IsSharedToEveryone to true and specify an access level in the EveryoneAccessLevel element.

The following ControlAccessParams element grants read access to all members of the organization.

<ControlAccessParams
   xmlns="http://www.vmware.com/vcloud/v1.5">
   <IsSharedToEveryone>true</IsSharedToEveryone>
   <EveryoneAccessLevel>ReadOnly</EveryoneAccessLevel>
</ControlAccessParams>

To specify access controls that apply to specific users, a Virtual Infrastructure Administrator can set IsSharedToEveryone to false and specify an access level in an AccessSettings element that the ControlAccessParams request contains.

An AccessSettings element is populated with one or more AccessSetting elements, each of which assigns an access level to the user identified in the Subject element. The following ControlAccessParams element grants full control to one user and read-only access to another user.

<ControlAccessParams
   xmlns="http://www.vmware.com/vcloud/v1.5">
   <IsSharedToEveryone>false</IsSharedToEveryone>
   <AccessSettings>
      <AccessSetting>
         <Subject
            type="application/vnd.vmware.admin.user+xml"
            href="https://vcloud.example.com/api/admin/user/40"/>
         <AccessLevel>FullControl</AccessLevel>
      </AccessSetting>
      <AccessSetting>
         <Subject
            type="application/vnd.vmware.admin.user+xml"
            href="https://vcloud.example.com/api/admin/user/45"/>
         <AccessLevel>ReadOnly</AccessLevel>
      </AccessSetting>
   </AccessSettings>
</ControlAccessParams>

Ownership of a VApp or Catalog object is expressed in an Owner element that you can retrieve from the object. This element contains a User element that identifies the owner with a reference to a specific user. The initial owner of an object is the user who created it.

A Virtual Infrastructure Administrator can view or change the owner of a VApp or Catalog object using the procedure documented in View or Change the Owner of an Object.