A newly created organization has no users or groups in it. An administrator must create or import them.

An organization can contain an arbitrary number of users and groups. Users can be created by the organization administrator or imported from an LDAP directory service or SAML-based identity provider. Groups must be imported. Permissions within an organization are controlled through the assignment of rights and roles to users and groups.

Users can be created locally or imported from the organization's LDAP service if it has defined one. Users and groups can also be imported from an external identity provider that supports SAML (the Security Assertion Markup Language). Local user accounts are stored in the vCloud Director database and managed by the organization administrator. Imported user accounts are managed by the service from which the user was imported. If an imported user changes his password, contact information, or other account properties, those changes are not effective in vCloud Director until the user is imported again.

In vCloud Director, an identity provider is a service that accepts credentials such as a user name and password and authenticates the user as a member of a group or organization. vCloud Director recognizes two kinds of identity providers:


The integrated identity provider is a service provided by vCloud Director. It can authenticate users who are created locally or imported from LDAP.


An organization can define a SAML identity provider that can be used as part of a federated identity strategy. Such a strategy can enable an enterprise to provide access to multiple, unrelated services, including vCloud Director, with a single set of credentials. This sort of authentication strategy is often referred to as "single sign-on." See Retrieve or Update Organization Settings.

The XML representation of a User can include an IdentityProvider element that specifies either INTEGRATED or SAML. If the element is missing or empty, a value of INTEGRATED is assumed

An organization administrator can modify metadata such as name and description for a user or group object by creating a modified version of the User or Group element that represents the object and updating the object by making a PUT request to the object's rel="edit" link, supplying the modified element in the request body.