User roles and access permissions

This document describes the Skytap permissions model and explains the differences between different user roles.


Overview: Access to templates, environment, and assets

Most activity in Skytap centers on templates, environments, and assets (resources). Generally, a user’s permissions to edit and use an environment, template, or asset depends on his or her user role and whether or not the user owns the resource.

Default access and permissions

Users create resources by importing VMs, uploading asset files, or cloning existing resources. When a user creates a resource, the user becomes the resource owner.

  • Standard users and user managers have permission to view, edit, share, or delete the resources they own. By default, users can’t view the resources owned by other users.
  • Administrators have permission to view, edit, share, or delete all of the resources created in the account.

Extending access and permissions to other Skytap users

An administrator can give other, non-administrator users the ability to generate reports.

Additionally, a user or administrator can share a resource with other Skytap users by adding the resource to a project. The project members can view, use, and/or manage the resource, depending on their project role and user role. For more information, see Understanding project roles.

Public templates and assets

Skytap provides public templates and public assets that include pre-built environments and helpful files. These resources are owned by Skytap—not by other users.

  • Public templates can’t be added to projects, but they can be copied (and their copies can be shared).
  • Administrators can enable or restrict each user’s access to public templates and assets (see Additional user permissions below).
  • Administrators can’t edit or delete public templates or assets.

User roles

When you create a user, you assign one of four user roles: Restricted, Standard, User Manager, or Administrator, with the following permissions.

Restricted Standard User Manager Administrator Can do this
Access shared project resources
* Create and own projects
Create environments, templates, and assets
Create and edit users and groups
Delete groups
Create and view reports.
Create and edit departments
Delete users
Create and edit account-wide settings (password policies, access policies, usage limits, etc.)
Edit and delete environments, templates, and assets owned by all users in the account.

* A restricted user can’t create a project, but another user can make a restricted user a project owner. For information specific to project roles, see Understanding project roles.

Restricted users have limited permission to create environments.

An administrator must grant reporting privileges for a user to create and view reports.


  • The restricted role is best for users who need tightly-controlled access to a limited number of resources.
  • The standard role is best for most users.
  • The user manager role is best for users who need to manage and organize users and groups but who don’t need full administrator capabilities.
  • The administrator role is best for trusted users in your organization who need to manage users, resources, and account-wide settings.

VPN permissions

Administrators can restrict a user’s ability to connect Skytap virtual environments to a VPN in the account. For more information, see Configuring access to a VPN.

Additional user permissions

Skytap has additional permissions that you can enable or disable for each user. Some of these permissions are displayed only when specific features are enabled in your account.

The table below shows the additional permissions that are optional (O) for each type of user.

  • Most permissions are mandatory (M) for administrators and can’t be disabled.
  • Restricted users can’t have most permissions enabled.
Restricted Standard User Manager Administrator Permission
O O O M This user is able to access public templates and public assets.
- - O O M This user is able to import VMs into Skytap.
- - O O M This user is able to export VMs from Skytap.
- - O O M This user is able to generate reports from Skytap.

Reporting can be enabled for the entire account or just the user's department.

- - O O O This user is able to set promiscuous mode on VM network adapters for Skytap.
This permission is displayed when your customer account is enabled for promiscuous mode.

For instructions, see Editing users.

Viewing owned and shared resources in Skytap

Every resource page has filters that display resources by access level:

  • My – displays the resources you own.
  • Company – displays the resources you have access to.

    • If you’re a user, this includes resources you own and resources shared with you through projects.
    • If you’re an administrator, this includes all of the resources owned by you and your users.
  • Skytap – displays all of the public templates or assets that you have access to. If you don’t have access to public templates and assets, this tab doesn’t display.
  • All – displays all of the personal, company, and public resources that you have access to. If you don’t have access to public templates and assets, this tab doesn’t display.

You can only see resources that you have access to.

Templates Page