Data Management for VMware Tanzu user accounts can originate from two different identity sources: the DMS Provider local database (Local user) and a configured LDAP server (LDAP user). DMS manages Local users and LDAP users independently and differently.
Recall that a DMS organization is comprised of one or more users:
The first Local user account created by Data Management for VMware Tanzu is the Provider Administrator user created during deployment of the Provider VM. This user is mandatory and cannot be deleted. DMS does not support adding additional Local users acting in the Provider Administrator role.
When a Provider Administrator user creates a Local user via the Data Management for VMware Tanzu console, they must identify the organization to which the user belongs. A Local user can be a member of only a single organization.
DMS uses the Email ID of a Local user as their account identifier. The Email ID of a user must be unique. (DMS does not send an email validation to verify the validity of the supplied email.)
DMS does not allow two organizations to share a Local user member with the exact same email address. If an individual must be a member of two organizations as a Local user, they must have two local accounts that specify different Email IDs and have differing organization assignment.
An LDAP user is a user imported into Data Management for VMware Tanzu from an existing LDAP identity provider. A Provider Administrator user must configure an LDAP server for the DMS installation before LDAP users can be imported. This configuration may be completed during DMS installation or after.
Data Management for VMware Tanzu uses the configured LDAP server for both authentication and authorization.
The Data Management for VMware Tanzu permissions assigned to an LDAP user depends on the LDAP groups in which they are a member, and the assignment and mapping of these LDAP groups to DMS organizations and roles:
For a given login, Data Management for VMware Tanzu first attempts to authenticate a user as a Local user.
If the Email ID used to log in to DMS matches that of a Local user and the correct password is provided, authentication succeeds. DMS performs no further authentication or processing with LDAP.
If no matching Local user is found, DMS attempts to authenticate against the configured LDAP server. If the domain name of the Email ID matches the registered LDAP server and the password is valid, authentication succeeds.
After successful authentication of any type, the user must select an organization for the current session. A Local user can choose the (single) organization to which they belong. An LDAP user may have multiple organizations and roles (format:
Organization_name [role]) to choose from.
An LDAP user that is logged into an active DMS session can change the effective organization/role for the session via a drop-down menu located in the upper right corner of the console.