VCP6-CMA – Section 2: Administer vRealize Automation Users, Roles and Privileges

Objective 2.1: Create Roles and Apply Privileges to Roles

Configure system-wide roles and responsibilities

• There are three system wide roles, they are:-
  • System Administrator (create tenants, configure identity stores, assign IaaS and tenant administrator roles, configure Orchestrator, configure branding, notifications and monitor system logs)
  • IaaS Administrator (configure IaaS features and global properties, manage IaaS licences, create and manage fabric groups, create and manage endpoints and associated credentials, configure proxy agents, manage AWS instance types, monitor IaaS logs)
  • Fabric Administrator (manage build profiles, manage compute resources, manage cost profiles, manage network profiles, manage AWS EBS volumes and key pairs, manage machine prefixes, manage property dictionary, manage reservations and reservation policies)
  • Login as a tenant administrator and go to Administration > Users & Groups > Identity Store Users & Groups. Search for the required group, add the required roles from the list and click Update to save.

Assign user roles within tenants

• There are seven tenant based roles, including:-
  • Tenant administrator (manage tenant identity stores, user and group roles, custom groups, tenant branding, notification providers and scenarios, create and manage approval policies, manage catalog services, item and actions, manage entitlements, monitor tenant machines and send reclamation requests, configure Orchestrator servers, plug-ins and workflows for use in the Advanced Service Designer, create and publish shared IaaS blueprints)

• Service Architect (Define custom resource types, create and publish service blueprints with the ASD, create and publish custom actions)

• Business Group Manager (create and publish business group specific blueprints from IaaS, catalog items and entitlements, monitor resource usage in a business group)

• Support User (Request and manage items on behalf of other users within their business groups)

• Business User (Request and manage services)

• Approval Administrator (Create and manage approval policies)

• Approver (Approve catalog requests, including provisioning requests or any resource actions)

• Login as a tenant administrator and go to Administration > Users & Groups > Identity Store Users & Groups. Search for the required group, add the required roles from the list and click Update to save.

Configure tenant roles and responsibilities

• Login to the vRealize Appliance as a tenant administrator
• Select Administration > Groups
• Click the Add icon
• Select Identity Store Group
• Type a group name in the Add existing Identity Store groups to this group search box
• Select one or more roles from the Add Roles to this Group list (The Authorities Granted by Selected Roles list indicates the specific authorities you are granting)
• Click Update.
• Changes to user access rights are reflected immediately

 Add identity stores

• Login to the vRealize Appliance as a tenant administrator
• Select Administration > Identity Stores
• Click the Add icon
• Type a name in the Name text box
• Select the type of the identity store from the Type drop-down menu
  • OpenLDAP
  • Active Directory
•  Type the URL for the identity store in the URL text box. (For example, ldap://10.141.64.166:875)
• Type the domain for the identity store in the Domain text box
• (Optional) Type the domain alias in the Domain Alias text box
• Type the login user Distinguished Name in the Login User DN text box (For example, cn=demoadmin,ou=demo,dc=dev,dc=mycompany,dc=com).
• Type the password for the identity store login user in the Password text box.
• Type the group search base Distinguished Name in the Group Search Base DN text box (For example, ou=demo,dc=dev,dc=mycompany,dc=com)
• Type the user search base Distinguished Name in the User Search Base DN text box (For example, ou=demo,dc=dev,dc=mycompany,dc=com)
• Click Test Connection
• Click Add

Appoint tenant administrators

• IaaS administrators cannot be added until IaaS components have been installed
• You must first configure an identity store
• Type the name of a user or group in the Tenant Administrators or Infrastructure Administrators search box and press Enter
• Verify that the user or group name appears in Tenant Administrators or Infrastructure Administrators list
• Click Update

Objective 2.2: Configure AD/LDAP Integration

Configure identity stores

• Login to the vRealize Appliance as a tenant administrator
• Procedure is much the same as in the “Add Identity Stores” listed above.
• Changes can be made to search DNs, LDAP bind user and LDAP URL/port if required
• Each tenant must have at least one identity store

Link an identity store to a tenant

• Login to the vRealize Appliance as the system administrator
• Click Add Tenant and fill in the details
• Procedure is much the same as in the “Add Identity Stores” listed above

Configure a Native Active Directory Identity Store

• Native Active Directory identity store is only available on the default tenant
• Login to the vRealize Appliance as a system administrator
• Join your Identity Appliance to Active Directory to enable Native Mode
• When in the tenants view, select the default tenant (vsphere.local)
• Click the Identity Stores tab, click Add and type in the name of the joined AD domain
• Click Add and Update