Upon creation, an organization VDC grants full access to all members of the containing organization. An administrator can use the VMware Cloud Director API access control mechanism to restrict access to specific users.
Organization VDCs implement a subset of the access control features described in Controlling Access to vApps and Catalogs. To restrict access to a VDC, you first apply access controls that deny use of the VDC to all users. After you do that, you can make exceptions to grant access to up to 128 individual users. You apply VDC access controls using a controlAccess request and ControlAccessParams request body. Values of certain elements in the request body have special meanings when applied to a VDC.
- IsSharedToEveryone
-
The value of this element specifies whether the VDC imposes any access controls. If it is set to
false, access is denied to all users except the ones references in the AccessSettings element. If it is set totrue, no access controls apply even if you have defined them in AccessSettings. - AccessLevel
- A value of ReadOnly grants the subject all rights to use the VDC. In this release, ReadOnly is the only legal VDC AccessLevel for a user.
Prerequisites
Verify that you are logged in as an organization administrator or a role with equivalent set of rights.
Procedure
Example: Apply Access Controls to a VDC
This request updates the access controls of a VDC to grant access to two external users defined in an OAuth identity provider.. The request body, a ControlAccessParams element, specifies a value of false for the IsSharedToEveryone element, which denies access to all users. It also includes an AccessSetting element for each user to whom access is granted. Each of these users is identified by an ExternalSubject element. An ExternalSubject identifies a user account defined in a supported OAuth or SAML identity provider. See About Federation and Single Sign-On. In this element, the SubjectId is the user name with which the user logs in to the identity provider whose type is specified in IdpType. The user must be a member of the organization that owns the VDC.
PUT https://vcloud.example.com/api/vdc/130/action/controlAccess
Content-Type: application/vnd.vmware.vcloud.controlAccess+xml
...
<?xml version="1.0" encoding="UTF-8"?>
<ControlAccessParams xmlns="http://www.vmware.com/vcloud/v1.5">
<IsSharedToEveryone>false</IsSharedToEveryone>
<AccessSettings>
<AccessSetting>
<ExternalSubject>
<SubjectId>[email protected]</SubjectId>
<IsUser>true</IsUser>
<IdpType>OAUTH</IdpType>
</ExternalSubject>
<AccessLevel>ReadOnly</AccessLevel>
</AccessSetting>
<AccessSetting>
<ExternalSubject>
<SubjectId>[email protected]</SubjectId>
<IsUser>true</IsUser>
<IdpType>OAUTH</IdpType>
</ExternalSubject>
<AccessLevel>ReadOnly</AccessLevel>
</AccessSetting>
</AccessSettings>
</ControlAccessParams>
<ControlAccessParams xmlns="http://www.vmware.com/vcloud/v1.5">
<IsSharedToEveryone>false</IsSharedToEveryone>
<AccessSettings>
<AccessSetting>
<Subject
type="application/vnd.vmware.admin.user+xml"
href="https://vcloud.example.com/api/admin/user/45"/>
<AccessLevel>ReadOnly</AccessLevel>
</AccessSetting>
</AccessSettings>
</ControlAccessParams>
The response, a subset of which appears here, echoes the request.
200 OK
Content-Type: application/vnd.vmware.vcloud.controlAccess+xml
...
<ControlAccessParams
xmlns="http://www.vmware.com/vcloud/v1.5">
<IsSharedToEveryone>false</IsSharedToEveryone>
<AccessSettings>
...
</AccessSettings>
</ControlAccessParams>
