VMware vCloud Director has been designed to be a really secured environment right from the bottom to the top layers. However, it is up to the vCloud Director administrators how they can use security roles, and the LDAP integration to keep VMware vCloud secure. However, this was based in vCloud Director Version 1.5.
The vCloud Director security guide is available at http://www.vmware.com/files/pdf/techpaper/VMW_10Q3_WP_vCloud_Director_Security.pdf, which covers in detail how to address the security needed for specific environments.
If you look at the vCloud Director Security model and see how a user can be identified, you will see that user identification can happen from five possible locations and those are:
Locally defined in vCloud Director (not desirable from a security standpoint)
Imported users from a Lightweight Directory Access Protocol (LDAP) server into vCloud Director
Locally defined users in each organization (not desirable from a security standpoint)
Imported users from an LDAP server into a specific organization
Imported users from either the VMware vSphere identity provider (IdP) or the external identity provider (IdP)
System administrators have been defined at the system level, and they carry full system-level access.
As VMware vSphere, vCloud Director also uses roles and permissions to determine what actions a user can perform in an organization. vCloud Director comes with a number of predefined roles with specific rights. System administrators and organization administrators have the ability to assign each user or group a role. It is possible to have the same user imported into different organizations from one LDAP system. That user can then be assigned different rights in each organization if desired. System administrators can also create roles and modify existing ones. Also all the roles can be modified by the system administrator. They can also create custom roles.
By default, vCloud Director ships with some predefined roles and those are: