In order to run vCenter operations from VLA workflows it is necessary to add a new user to VMware vRealize Orchestrator administrators group. Thus it will have administrator access to the VMware vRealize Orchestrator Server and can perform general administration tasks there. This group name is set in the Admin group text box during vRealize Orchestrator authentication provider configuration in vRealize Orchestrator Control Center.

vCenter Single Sign-On supports storing the user and group data in Active Directory or locally to the operating system of the machine where vCenter Single Sign-On is installed. If your vCenter Server has been associated with an Active Directory Server, create a user and add the user to the VMware vRealize Orchestrator administrators group there, skip steps 3-11 in this procedure and perform the rest of the steps to configure the new user access to the vSphere inventory.

Procedure

  1. Log in to the VMware vSphere Web Client(VWC) using administrator credentials.
  2. Select Administration (highlighted for emphasis) from the Menu.
    Figure 1. Administration
  3. Click Users and Groups.
    The browser displays a screen similar to the following:
    Figure 2. Users and Groups
  4. Select the SSO domain to which you wish to add the user from the Domain dropdown (for example vsphere.local)
  5. Click ADD USER to add a user.
    The browser displays the Add User dialog similar to the following:
    Figure 3. Add User
  6. Complete the fields in the dialog, giving the user the name vla_user and assigning a conforming password, and then click ADD.
    The browser closes the dialog and displays the Users and Groups page with your new user added.
  7. Select from the Domain the SSO domain to which vRealize Orchestrator administrators group belongs.
  8. Click the Groups tab.
    Find the vRealize Orchestrator administrators group in the list of existing groups and click on it.
    Figure 4. vCenter Users and Groups
  9. Click ADD MEMBERS.
    The browser displays the Edit Group dialog similar to the following:
    Figure 5. Edit Group
  10. In the Add members field select the user's SSO domain from the domain dropdown and the user.
    The user is added to the group members.
  11. Click SAVE.
    The browser closes the dialog and displays the Groups tab with your new user added to the vRealize Orchestrator administrators group.
  12. Click Roles in the Navigation pane.
  13. Click the plus icon in the pane to the right of the Navigator pane (pointed to by the arrow for emphasis).
    Figure 6. Administration - Roles
    The browser displays the New Role dialog.
  14. In the New Role dialog find and check the following privileges for the role:
    Table 1. Role Privilege Settings
    Privilege Settings

    Datastore-> Allocate space

    Global-> Log event

    Network-> Assign network

    Resource-> Assign virtual machine to resource pool

    Resource-> Migrate powered off virtual machine

    Resource-> Migrate powered on virtual machine

    Virtual machine-> Change Configuration-> Change Settings

    Virtual machine-> Change Configuration-> Modify device settings

    Virtual machine-> Edit Inventory-> Create from existing

    Virtual machine-> Edit Inventory-> Remove

    Virtual machine-> Edit Inventory-> Move

    Virtual machine -> Guest operations -> Guest operation modifications

    Virtual machine -> Guest operations -> Guest operation program execution

    Virtual machine -> Guest operations -> Guest operation queries

    Virtual machine-> Interaction-> Power on

    Virtual machine-> Interaction-> Power off

    Virtual machine-> Interaction-> Suspend

    Virtual machine-> Provisioning-> Clone virtual machine

    Virtual machine-> Provisioning-> Customize guest

    Virtual machine-> Provisioning-> Deploy template

    Virtual machine-> Provisioning-> Mark as template

    Virtual machine-> Provisioning-> Mark as virtual machine

    Virtual machine-> Provisioning-> Read customization specifications

    Virtual machine-> Snapshot management-> Create snapshot

    Virtual machine-> Snapshot management-> Remove snapshot

    Virtual machine-> Snapshot management-> Revert to snapshot

    Some of the above privilege settings should be set for various LaMa operations, to understand the relations between them refer to Role Privilege Settings - VMware VLA Role for VMware vRealize Orchestrator
  15. Click Next.
  16. In the Role name field, type: VMware LaMa Appliance.
  17. Click Finish to create the role.
    The browser closes the New Role dialog. You should now see the new role in the list similar to the following:
    Figure 7. Roles
    Note: The VMware LaMa Appliance role selected for emphasis.
  18. Click Hosts and Clusters from the Menu.
  19. Click on the vCenter Server you want the VMware VLA to manage.
  20. Click Permissions.
    Your browser displays a page similar to the following:
    Figure 8. Hosts and Clusters-Manage-Permissions
  21. Click the plus icon to add permission.
    Your browser displays a page similar to the following:
    Figure 9. Add Permission
  22. Choose your SSO domain, and select the user vla_user.
  23. In the Role list box, select VMware LaMa Appliance.
    Your browser displays a page similar to the following:
    Figure 10. Add Permission
  24. Make sure the Propagate to children check box is checked.
  25. Click OK.
    This saves the permission.
    Note: If the permission is set not for the vCenter Server you want the VMware VLA to manage then it may result in execution errors of LaMa operations or absence of the objects in LaMa Virtualization Landscape.

Results

You have successfully created a single user for the whole setup, added it to the VMware vRealize Orchestrator administrators group and added required permission for this user.