You can assign a user account to one or more user groups, and assign roles and objects to the account to specify the actions the user can perform and upon what objects. Assign the Administrators role only to specific users who must access objects and perform actions in the entire environment.

You can assign groups, roles, and objects to a user account, by selecting Administration > Access Control, and clicking the Add icon on the User Accounts toolbar. You can edit a user account, by selecting an account and clicking the Edit icon.

Access Control Add or Edit User Workspace - Assign Groups and Permissions Page

Assign Groups Roles, and Objects Options



Select or deselect the groups associated with the user account. To select or deselect all accounts, click the Group Name check box. You cannot add user accounts to groups that you imported from an LDAP database.


Roles determine which actions a user can perform in the system. Select a role from the Select Role drop-down menu, and then select the Assign this role to the user checkbox. You can associate more than one role with the user account.

Select which objects the user can access when assigned this role.

Select Object Hierarchies: Displays groups of objects. Select an object in this list to select all the objects in the hierarchy,

Select Object: To select specific objects within the object hierarchy, click the down arrow to expand the list of objects. For example, expand the Adapter Instance hierarchy, and select one or more adapters.

Allow access to all objects in the system: Select this check box to permit the user account access to all objects in the system.


When you assign a user permission to take action on a parent object, such as an adapter, that user can perform the same action on all the parent's child objects. For example, if a user has permission to access the vRealize Operations Manager adapter, that user can access all the virtual machines associated with the adapter. This is true even if the same user holds another role that permits limited access to only one specific virtual machine.