By using the VMware Cloud Director Tenant Portal, you can create, edit, import, and delete users. In addition, you can also unlock user accounts in case a user tried to log in with an incorrect password and as a result has locked their own user account.

The page provides information about the users such as the assigned role, provider type, whether the user is stranded, and so on.

If VMware Cloud Director determines that a user who had previously logged in can no longer do so, the user becomes stranded. The user might not be able to log in because VMware Cloud Director can no longer authenticate the user. For example, the user might no longer be present in the LDAP server. Alternatively, even though VMware Cloud Director can reasonably authenticate external IDP users, those users might not be authorized for any role. For example, such users might inherit roles from a group that no longer exists.

Note: VMware Cloud Director users can share or transfer ownership of entities to other users within the same organization. For this reason, within an organization, any user can see the other users' basic information, such as user name, full name, description, ID, role, and organization.

Create a User in Your VMware Cloud Director Tenant Portal

You can create a user within your VMware Cloud Director organization.

You can create a VMware Cloud Director user by selecting a user name, password, and role.

Prerequisites

Verify that you are logged in as an organization administrator or a role with equivalent set of rights.

Procedure

  1. From the primary left navigation panel, select Administration.
  2. From the secondary left panel, under Access Control, select Users.
    The list of users appears.
  3. Click New.
  4. Enter a user name and the password setting of the user.
    The minimum password length is six characters.
  5. Select whether to enable the user upon creation.
  6. If you want to set a specific limitation on the resources available to the user, turn on the Configure user's quota toggle.
    If you turn on the toggle, when you complete this wizard, VMware Cloud Director redirects you to the Quotas page. You can add quotas on the number of Tanzu Kubernetes clusters, all or running VMs managed by the user, consumed CPU, memory, and storage. Select Unlimited if you want the user to have unlimited resources of the selected type.
  7. Choose the role that you want to assign to the user.
    The Available roles menu consist of a list of predefined roles and any custom roles that you or the system administrator might have created.
    Predefined role Description
    vApp Author The rights associated with the predefined vApp Author role allow a user to use catalogs and create vApps.
    Console Access Only The rights associated with the predefined Console Access Only role allow a user to view virtual machine state and properties and to use the guest OS.
    vApp User The rights associated with the predefined vApp User role allow a user to use existing vApps.
    Organization Administrator A user with the predefined Organization Administrator role can use the VMware Cloud Director tenant portal or the Cloud Director OpenAPI to manage users and groups in their organization and assign them roles, including the predefined Organization Administrator role. An organization administrator can use the Cloud Director OpenAPI to create or update role objects that are local to the organization. Roles created or modified by an organization administrator are not visible to other organizations.
    Defer to Identity Provider Rights associated with the predefined Defer to Identity Provider role are determined based on information received from the user's OAuth or SAML Identity Provider. To qualify for inclusion when a user is assigned the Defer to Identity Provider role, a role name supplied by the Identity Provider must be an exact, case-sensitive match for a role, or name defined in your organization.
    Catalog Author The rights associated with the predefined Catalog Author role allow a user to create and publish catalogs.
  8. (Optional) Enter the contact information, such as name, email address, phone number, and instant messaging ID.
  9. Click Save.

What to do next

If you enabled quotas configuration for the user and VMware Cloud Director redirects you to the Quotas page, see Manage the Resource Quotas of a User in Your VMware Cloud Director Tenant Portal.

Import Users in Your VMware Cloud Director Tenant Portal

You can add users to your VMware Cloud Director organizations by importing an LDAP, SAML, or OIDC user and assigning them a certain role.

You can import LDAP, SAML, or OIDC users to VMware Cloud Director.

Prerequisites

Procedure

  1. From the primary left navigation panel, select Administration.
  2. From the secondary left panel, under Access Control, select Users.
    The list of users appears.
  3. Click Import Users.
  4. Select a source from which you want to import the users.
    You will only view the sources that you configured as identity providers.
    Important: When importing SAML and OIDC users, you must ensure that the user name you provide matches the value in the configured field from the identity provider. This is because VMware Cloud Director cannot communicate with the identity provider during import to validate the information. The only communication between the identity provider and VMware Cloud Director is during login, which will fail if you import the wrong user name.
    Source Action
    LDAP Import users from an LDAP server.
    1. Enter a full or partial name in the text box and click Search.
    2. Select the users whom you want to import and click Add.
    SAML Import users from a SAML server. Enter the user names of the users that you want to import. Use a new line for each user name.
    User names must be in the name identifier format supported by the SAML identity provider configured for this organization.
    Note: If you are using vCenter Single Sign-On as the SAML identity provider, the user names that you import from a vCenter Single Sign-On domain must be in User Principal Name (UPN) format, for example, [email protected].
    OIDC Import OIDC users. Enter the user names of the users that you want to import. Use a new line for each user name.

    User names must be in the name identifier format supported by the OIDC identity provider configured for this organization.

  5. Select the role which you want to assign to the users that you import.
  6. Click Save.

Modify a User in Your VMware Cloud Director Tenant Portal

As a VMware Cloud Director organization administrator, you can modify the password, the contact, and the virtual machine quota settings of an existing user. In addition, you can also change the role of the user.

By clicking Edit, you can modify the user account settings.

Prerequisites

Verify that you are logged in as an organization administrator or a role with equivalent set of rights.

Procedure

  1. From the primary left navigation panel, select Administration.
  2. From the secondary left panel, under Access Control, select Users.
    The list of users appears.
  3. Click the radio button next to the name of the user that you want to edit and click Edit.
  4. Update the settings you want to modify.
    1. Change the user password.
      Note: You cannot change the password of the user you are logged in as.
    2. Select whether to activate or deactivate the user.
    3. Update the user role.
    4. Update the contact information, such as name, email address, phone number, and instant messaging ID.
  5. Click Save.

What to do next

Deactivate or Activate a User Account in Your VMware Cloud Director Tenant Portal

You can deactivate a user account to prevent that user from logging in to VMware Cloud Director. To delete a user, you must first deactivate their account.

By clicking the Disable or enable buttons, you can deactivate or activate a user account.

Prerequisites

Verify that you are logged in as an organization administrator or a role with equivalent set of rights.

Procedure

  1. From the primary left navigation panel, select Administration.
  2. From the secondary left panel, under Access Control, select Users.
    The list of users appears.
  3. To deactivate a user account, click the radio button next to the user name, click Disable, and confirm.
  4. To activate a user account that you have already deactivated, click the radio button next to the user name, and click Enable.

Delete a User in Your VMware Cloud Director Tenant Portal

You can remove a user from your VMware Cloud Director organization by deleting the user account.

Prerequisites

  • Verify that you are logged in as an organization administrator or a role with equivalent set of rights.

  • Deactivate the account you want to delete.

Procedure

  1. From the primary left navigation panel, select Administration.
  2. From the secondary left panel, under Access Control, select Users.
    The list of users appears.
  3. Click the radio button next to the name of the user that you want to delete and click Delete.
  4. To confirm that you want to delete the user account, click OK.

Unlock a Locked Out User Account Using Your VMware Cloud Director Tenant Portal

In case you have enabled a lockout policy in your VMware Cloud Director organization, a user account is locked after a certain number of invalid login attempts. You can unlock the locked user account. Best practice is to change the password of the user and unlock the account.

Prerequisites

Verify that you are logged in as an organization administrator or a role with equivalent set of rights.

Procedure

  1. From the primary left navigation panel, select Administration.
  2. From the secondary left panel, under Access Control, select Users.
    The list of users appears.
  3. Click the radio button next to the user name, click Unlock.

Manage the Resource Quotas of a User in Your VMware Cloud Director Tenant Portal

You can manage the overall resource consumption limit of a VMware Cloud Director user. You can add, edit, and remove the user's quotas on VMs, Tanzu Kubernetes clusters, CPU, memory, or storage.

Users can see the quotas relevant only to their user type. Users inherit quotas from the group they belong to. If a user inherits a resource quota from their group and has an explicit user-level quota defined for that resource, then the user-level quota takes priority over the group-level quota.

For information about creating or importing users, see Create a User in Your VMware Cloud Director Tenant Portal or Import Users in Your VMware Cloud Director Tenant Portal.

You can add or edit resource quotas for specific VMware Cloud Director users.

Prerequisites

Verify that you have the necessary rights to add, edit, and delete resource quotas. By default, Organization administrators can change the quotas of users.

Procedure

  1. From the primary left navigation panel, select Administration.
  2. In the left panel under Access Control, click Users.
  3. Select the name of a user and select the Quotas tab.
    Users do not have any quotas by default. All users that belong to a group inherit the group's quotas. If the user belongs to a group that has a quota on resources, the quota appears in the user's list of quotas as not editable.
  4. Click Edit.
  5. Modify the quota for the selected user.
    You can add, edit, or remove quotas on the number of Tanzu Kubernetes clusters, all or running VMs managed by the user, consumed CPU, memory, and storage. Select Unlimited if you want the user to have unlimited resources of the selected type.
  6. Click Save.

Manage the API Token of a VMware Cloud Director User

You can generate and issue API access tokens. VMware Cloud Director administrators with the Manage all users' API tokens right can use the Tenant Portal to view and revoke the access tokens of the other tenant users in the organization.

Access tokens are artifacts that client applications use to make API requests on behalf of a user. Applications need access tokens for authentication. When an access token expires, to obtain access tokens, applications can use API tokens. API tokens do not expire.

For more information about generating and issuing API access tokens, see Generate an API Access Token Using Your VMware Cloud Director Tenant Portal.

When you select a user, on the API Tokens tab you can view and revoke their API tokens.

Prerequisites

Verify that you have the Manage all users' API tokens right.

Procedure

  1. From the primary left navigation panel, select Administration.
  2. In the left panel under Access Control, click Users.
  3. To view the tokens of other users in your organization, select the name of a user and select the API Tokens tab.
  4. (Optional) Click the vertical ellipsis next to a token and click Revoke.