VCP6-CMA Section 2: Administer vRealize Automation Users, Roles and Privileges

Contents

Objective 2.1: Create Roles and Apply Privileges to Roles

Configure system-wide roles and responsibilities

  • System Administrator (administrator@vsphere.local)
  • Specified when configuring single sign on
  • Responsibilities include:
    • Create tenants
    • Configure tenant identity stores
    • Assign IaaS administrator role
    • Assign Tenant Administrator Role
    • Configure system default branding
    • Configure system default notification providers
    • Monitor system event logs, not including IaaS logs
    • Configure the vRealize Orchestrator server for use in ASD
  • IaaS Administrator
  • System Administrator designates an IaaS administrator when configuring the tenant
  • Responsibilities include:
    • Configure IaaS features & global properties
    • Manage IaaS licenses
    • Create and manage fabric groups
    • Create and manage endpoints
    • Manage endpoint credentials
    • Configure proxy agents
    • Manage AWS instance types
    • Monitor IaaS logs
  • Fabric Administrator
  • IaaS Administrator designates the Fabric Administrator when creating or editing fabric groups
  • Responsibilities include:
    • Manage build profiles
    • Manage compute resources
    • Manage cost profiles
    • Manage network profiles
    • Manage Amazon EBS volumes and key pairs
    • Manage machine prefixes
    • Manage property dictionaries
    • Manage reservations and reservation policies
  • To configure these roles:
    • Log in as a Tenant Administrator
      • Administration > Users & Groups > Identity Store Users & Groups
      • Search for the user you want to assign
      • Add the roles by selecting the appropriate check boxes
      • Select update

Assign user roles within tenants

  • Tenant Administrators grant user access rights by assigning roles to users or groups
    • Go to Administration > Users & Groups > Identity Store Users & Groups
    • Enter a user or group in the search box
    • Click the name of the user you want to assign roles to
    • Select one or more roles from the Add Roles To This User list
    • Click next to view more information
    • Click Update
  • Logged in users must log out and log back in again before they can make use of their new rights
  • You can also create custom groups
    • Can consist of
      • Custom Groups
      • Identity store groups
      • Individual identity store users
  • Do not need to assign roles if
    • You are using the custom group for approvals
    • You are using the custom group to manage business group users

Configure tenant roles and responsibilities

  • Tenant Administrator
    • Assigned by the System Administrator when creating the tenant
    • Tenant Administrators can assign the role to other users in the tenant
    • Responsibilities include:
      • Manage tenant identity stores
      • Manage user and group roles
      • Create custom groups
      • Customize tenant branding
      • Manage notification providers
      • Enable notification providers
      • Enable notification scenarios for tenant users
      • Create and manage approval policies
      • Manage catalog services
      • Manage cataog items
      • Manage actions
      • Manage entitlements
      • Monitor tenant machines and send reclamation requests
      • Configure vRO servers, plugins and workflows for use in ASD
      • Create and publish shared machine blueprints from IaaS
  • Service Architect
    • Assigned by the Tenant Administrator
    • User or group must be in the tenant registered with Application Services
    • Responsibilities include:
      • Create, modify, delete applications in application services
  • Application catalog administrator
    • Assigned by the Tenant Administrator
    • User or group must be in the tenant registered with Application Services
    • Responsibilities include:
      • Define services, templates, OS’s, tasks and tags in the application services library
  • Application cloud Administrator
    • Assigned by the Tenant Administrator
    • User or group must be in the tenant registered with Application Services
    • Responsibilities include:
      • Define resources and deployment environments
  • Application publisher and developer
    • Assigned by the Tenant Administrator
    • User or group must be in the tenant registered with Application Services
    • Responsibilities include:
      • Deploy applications in to the vRealize Automation catalog
      • Create, update and publish services, library items and actions in Application Services

Add Identity Stores

  • Each tenant is associated with at least one identity store
  • Deleting an identity store removes the roles assigned to users from this store, roles assigned to users from custom groups and the information about which services are available to this user
  • Entitlements and business groups are not affected
  • To Add an identity store
    • Login as a Tenant Administrator
    • Administration > Identity Stores
    • Click Add
    • Enter a Name
    • Select the type of Identity store from the drop down
      • OpenLDAP
      • Active Directory
      • Native Active Directory – only supported for the default tenant
    • Enter the following information
      • URL
      • Domain
      • Domain Alias – Optional
      • Login User DN
      • Group Search Base DN
      • User Search Base DB
    • Click Test Connection
    • Click Add

Appoint tenant administrators

  • One or more tenant administrator can be appointed from the identity store that is configured for the tenant
  • Log in as a System Administrator
    • Select Administration > Tenants
    • Click the name of the Tenant
    • Click the Administrators tab
    • Enter a user or group to assign as a Tenant Administrator
    • Click Update

Objective 2.2: Configure AD/LDAP Integration

Configure identity stores

  • At least one identity store required
  • Identity stores can be:
    • OpenLDAP or Active Directory
      • Native Active Directory is supported for the default tenant only
      • To use Native AD the Identity appliance must be joined to the domain
  • You can use OpenLDAP or active directory mixed mode without joining the identity appliance to the domain

Link an identity store to a tenant

  • Log in as a System Administrator
  • Select Administration > Tenants
  • Select the tenant
  • Select Identity Stores
  • Click Add
  • Add the new identity store to the tenant

Configure a Native Active Directory Identity Store

  • Identity Appliance must be joined to the domain
  • Only supported for the default tenant
  • Login as a System Administrator
    • Select Administration > Tenants
    • Click the default Tenant – vsphere.local
    • Click the Identity Stores tab
    • Click Add & Select Native Active Directory from the Type drop down
    • Enter the domain name in the domain text box (domain.local)
    • Click Add
    • Click Update
  • Once finished assign administrators to the identity store