In order to run vCenter operations from VLA workflows it is necessary to create a user for VMware vRealize Orchestrator, add it to VMware vRealize Orchestrator administrators group, and configure this user access to the vSphere inventory.

Individual users and user groups who are members of the VMware vRealize Orchestrator administrators group have administrator access to the VMware vRealize Orchestrator Server and can perform general administration tasks there. The VMware vRealize Orchestrator administrators group can be any to choose: it is created before VMware vRealize Orchestrator initial configuration and can be changed later. Enter this group name in the Admin group text box when you configure the vRealize Orchestrator authentication provider in vRealize Orchestrator Control Center.

If your vCenter Server has been associated with an Active Directory Server, create a user and add the user to the VMware vRealize Orchestrator administrators group there. Skip steps 3-11 in this procedure and perform the rest of the steps to configure the new user access to the vSphere inventory.

Procedure

  1. Log in to the VMware vSphere Web Client (VWC) using administrator credentials.
  2. Select Administration (highlighted for emphasis) from the Menu.
    Figure 1. Administration
  3. Click Users and Groups.
    The browser displays a screen similar to the following:
    Figure 2. Users and Groups
  4. Select the SSO domain to which you wish to add the user from the Domain dropdown (e.g., vsphere.local)
  5. Click ADD USER to add a user.
    The browser displays the Add User dialog similar to the following:
    Figure 3. Add User
  6. Complete the fields in the dialog, giving the user the name and assigning a conforming password, and then click ADD.
    The browser closes the dialog and displays the Users and Groups page with your new user added.
  7. Select from the Domain the SSO domain to which vRealize Orchestrator administrators group belongs.
  8. Click the Groups tab.
    Find the vRealize Orchestrator administrators group in the list of existing groups and click on it.
    Figure 4. vCenter Users and Groups
  9. Click ADD MEMBERS.
    The browser displays the Edit Group dialog similar to the following:
    Figure 5. Edit Group
  10. In the Add members field select the user's SSO domain from the domain dropdown and the user.
    The user is added to the group members.
  11. Click Add member (The only icon under Group Members)
    The browser displays the Add principals dialog similar to the following:
    Figure 6. Add Member - Add principals


  12. Select the user in the User/Group list and then click Add.
  13. Click SAVE.
    The browser closes the dialog and displays the Groups tab with your new user added to the vRealize Orchestrator administrators group.
  14. Click Roles in the Navigation pane.
  15. Click the plus icon in the pane to the right of the Navigator pane (pointed to by the arrow for emphasis).
    Figure 7. Administration - Roles
    The browser displays the New Role dialog.
  16. In the New Role dialog find and check the following privileges for the role:
    Table 1. Role Privilege Settings
    Privilege Settings

    Datastore-> Allocate space

    Global-> Log event

    Network-> Assign network

    Resource-> Assign virtual machine to resource pool

    Resource-> Migrate powered off virtual machine

    Resource-> Migrate powered on virtual machine

    Resource-> Apply recommendation

    Virtual machine-> Change Configuration-> Change Settings

    Virtual machine-> Change Configuration-> Modify device settings

    Virtual machine-> Edit Inventory-> Create from existing

    Virtual machine-> Edit Inventory-> Remove

    Virtual machine-> Edit Inventory-> Move

    Virtual machine-> Interaction-> Power on

    Virtual machine-> Interaction-> Power off

    Virtual machine-> Interaction-> Suspend

    Virtual machine-> Provisioning-> Clone virtual machine

    Virtual machine-> Provisioning-> Customize guest

    Virtual machine-> Provisioning-> Deploy template

    Virtual machine-> Provisioning-> Mark as template

    Virtual machine-> Provisioning-> Mark as virtual machine

    Virtual machine-> Provisioning-> Read customization specifications

    Virtual machine-> Snapshot management-> Create snapshot

    Virtual machine-> Snapshot management-> Remove snapshot

    Virtual machine-> Snapshot management-> Revert to snapshot

    To understand the various LaMa operations and the corresponding privilege settings that you should set when you create a VMware VLA Role in vCenter Server for VMware vRealize Orchestrator, refer to Role Privilege Settings - VMware VLA Role for VMware vRealize Orchestrator.
  17. Click Next.
  18. In the Role name field, type: VLA vRO user
  19. Click Finish to create the role.
    The browser closes the New Role pop-up. You should now see the new role in the list similar to the following:
    Figure 8. Roles
    Note: The VLA vRealize Orchestrator user role you created is selected for emphasis.
  20. Click Hosts and Clusters from the Menu.
  21. Click on the vCenter Server you want the VMware VLA to manage.
  22. Click Permissions.
    Your browser displays a page similar to the following:
    Figure 9. Hosts and Clusters-Manage-Permissions
  23. Click the green plus plus icon to add permission.
    Your browser displays a page similar to the following:
    Figure 10. Add Permission
  24. Click Add...
    Your browser displays a page similar to the following:
    Figure 11. Add User
  25. Choose your SSO domain and select the user vlavroadmin.
  26. Click OK.
  27. In the Assigned RoleRole list box, select role VLA vRO user.
    Your browser displays a page similar to the following:
    Figure 12. Add Permission


  28. Make sure the Propagate to children check box is checked.
    Click on View Children and verify that permission was granted to the following inventory objects:
    • vCenter Server (The Hosts and Clusters view)
    • Datacenters and Datacenter Folders (The Hosts and Clusters view)
    • Clusters and ESXi hosts within the Clusters, and Hosts and Clusters Folders (The Hosts and Clusters view)
    • Resource Pools and vApps (The Hosts and Clusters view)
    • Virtual Machines, VM Templates and VM Folders (The VMs and Templates view)
    • Datastores and Datastore Folders (The Storage view)
    • Networks and Distributed Switches (The Networking view)
    Note: The inventory objects should be the same with configured for the vCenter Server user in #GUID-DAB85820-A2E3-4ED3-B869-B83D46B09579.
  29. Click OK.
    This saves the permission.
    Note: A lack of permission for some of the aforementioned objects may result in execution errors of LaMa operations.
    Note: If the permission is set not for the vCenter Server you want the VMware VLA to manage then it may result in execution errors of LaMa operations.

Results

You have successfully created the user for VMware vRealize Orchestrator, added it to the VMware vRealize Orchestrator administrators group and added required permission for the user in order to be able to execute VLA workflows.