This role is designed to give administrators access to manage virtual machines, networks, and other
settings within the folder. The CloudAdmin role will also give the junior administrators access to all
global permissions that are associated with the Development folder.
"The CloudAdmin role is designed to give administrators access to manage a single folder. This role
grants access to manage virtual machines, networks, and other settings within the folder.
Additionally, this role grants access to all global permissions that are associated with the folder. For
example, if the folder has global permissions that allow users to create or delete virtual machines,
the CloudAdmin role will grant access to those permissions within the folder."
The CloudAdmin user can grant other users or groups read-only access to VMware Cloud on AWS
vCenter management objects such as the Mgmt-ResourcePool, Management VMs folder, Discovered
Virtual Machines folder, vmc-hostswitch, and vsanDatastore. Because this read-only access does not
propagate to management objects, you cannot grant it as a Global Permission and instead must
explicitly grant it for each management object. VMware Cloud on AWS runs a script once a day that
updates any newly-created management objects (such as objects in a new cluster) so that the
CloudAdmin user and CloudAdminGroup SSO group have the updated role applied. The script itself
does not grant additional access to any user or group, so you'll need to wait until it completes before
the CloudAdmin can use this workflow to grant read-only access to those objects.
Reference:
https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vsphere.vmc-awsmanage-data-center-vms.doc/GUID-06B8A15B-4BE9-4236-8BEA-3F4F7C55D87A.html
