Access to VMware Cloud Director Extension for VMware Tanzu Mission Control is managed by a rights bundle, and two roles in VMware Cloud Director. These roles are referred to as the TMC Administrator and TMC Member role, but you can configure specific names for these roles during installation. These roles are used to configure Access Policies when an organization is initially onboarded to VMware Tanzu Mission Control. The TMC Administrator can modify these policies to give access to any user or role they choose after the initial onboarding.
Rights Bundle | Description | ||
---|---|---|---|
vmware:tmc_tenant | This rights bundle contains the privileges that an organization needs to avail of VMware Cloud Director Extension for VMware Tanzu Mission Control. |
Global Role in VMware Cloud Director | Default Value | Rights | Mapped Role in VMware Tanzu Mission Control |
---|---|---|---|
TMC Administrator | tmc:admin |
|
Service Admin |
TMC Member | tmc:member |
|
Service Member |
You can set the values for these roles during installation of the solution. The values will apply to all organizations in VMware Cloud Director. The solution will create roles with the rights above if they do not already exist. If the role exists before the installation of VMware Cloud Director Extension for VMware Tanzu Mission Control, the solution will add the following two rights to each role:
- VIEW: VMWARE:TMC
- Enable OIDC Server
Service providers cannot attach any clusters from tenant organizations to VMware Tanzu Mission Control from VMware Tanzu Mission Control UI or Kubernetes Container Clusters UI, even though they are assigned with the TMC Administrator role. This privilege only allows service providers to log in to the VMware Tanzu Mission Control UI.
Service providers cannot view tenant clusters in VMware Tanzu Mission Control UI.
Service providers cannot view VMware Tanzu Mission Control attachment status in Kubernetes Container Clusters UI.
Information for Tenant Administrators
Ensure VMware Cloud Director tenant users have the fullname
populated in the user object for VMware Tanzu Mission Control Self-Managed login to work correctly. The email
may be used to create per-user access policies but is not required.