An organization administrator can use controlAccess links to control access to vApps and catalogs.

Catalogs and vApps include two types of access control links:

Links where rel="down".

<Link
   rel="down"
   type="application/vnd.vmware.vcloud.controlAccess+xml"
   href="https://vcloud.example.com/api/object-type/id/controlAccess/"/>

Use this kind of link to retrieve the access control settings for the object identified in the href value.

Links where rel="controlAccess".

<Link
   rel="controlAccess"
   type="application/vnd.vmware.vcloud.controlAccess+xml"
   href="https://vcloud.example.com/api/object-type/id/action/controlAccess/"/>

Use this kind of link to specify new access control settings for the object identified in the href value. You specify the new access control settings in a ControlAccessParams element that you post to the URL that the href value of this link specifies.

To specify access controls that apply to all members of an organization, an organization administrator can set IsSharedToEveryone to true and specify an access level in the EveryoneAccessLevel element. The following ControlAccessParams element grants read access to all members of the organization.

<ControlAccessParams
   xmlns="http://www.vmware.com/vcloud/v1.5">
   <IsSharedToEveryone>true</IsSharedToEveryone>
   <EveryoneAccessLevel>ReadOnly</EveryoneAccessLevel>
</ControlAccessParams>

To specify access controls that apply to individuals, an organization administrator can set IsSharedToEveryone to false and specify an access level in an AccessSettings element that the ControlAccessParams request contains. An AccessSettings element is populated with one or more AccessSetting elements, each of which assigns an access level to the user identified in the Subject element. The following ControlAccessParams element grants full control to one user and read-only access to another user.

<ControlAccessParams
   xmlns="http://www.vmware.com/vcloud/v1.5">
   <IsSharedToEveryone>true</IsSharedToEveryone>
   <AccessSettings>
      <AccessSetting>
         <Subject
            type="application/vnd.vmware.admin.user+xml"
            href="https://vcloud.example.com/api/admin/user/40"/>
         <AccessLevel>FullControl</AccessLevel>
      </AccessSetting>
      <AccessSetting>
         <Subject
            type="application/vnd.vmware.admin.user+xml"
            href="https://vcloud.example.com/api/admin/user/45"/>
         <AccessLevel>ReadOnly</AccessLevel>
      </AccessSetting>
   </AccessSettings>
</ControlAccessParams>

The schema reference includes detailed information and examples for controlAccess operations and the ControlAccessParams element. See About the Schema Reference.

Ownership of a VApp or Catalog object is expressed in an Owner element that you can retrieve from the object. This element contains a User element that identifies the owner with a reference to a specific user. The initial owner of an object is the user who created it.

A system administrator can view or change the owner of a VApp or Catalog object using the procedure documented in View or Change the Owner of an Object.