You can add users and groups to VMware Cloud Foundation to provide users with access to the SDDC Manager UI as well as the vCenter Server and NSX Manager instances that are deployed in your VMware Cloud Foundation system. Users can log in and perform tasks based on their assigned role.
Before you can add users and groups to
VMware Cloud Foundation, you must configure an identity provider that has access to user and group data.
VMware Cloud Foundation supports the following identity providers:
- vCenter Single Sign-On is vCenter Server's built-in identity provider. By default, it uses the system domain (for example, vsphere.local) as its identity source. You can add Active Directory over LDAP and OpenLDAP as identity sources for vCenter Single Sign-On.
- You can also use any of the following external identity providers instead of vCenter Single Sign-On:
- Microsoft ADFS
- Okta
- Microsoft Entra ID (formerly known as Azure Active Directory)
Once you have configured an identity provider, you can add users and groups, and assign roles to determine what tasks they can perform from the SDDC Manager UI and VMware Cloud Foundation API.
Note:
SDDC Manager only manages users and groups for the management SSO domain. If you created isolated VI workload domains that use different SSO domains, you must use the vSphere Client to manage users and groups for those SSO domains. Use the vSphere Client to connect to the VI workload domain's vCenter Server and then click
.
In addition to user accounts,
VMware Cloud Foundation includes the following accounts:
- Automation accounts for accessing VMware Cloud Foundation APIs. You can use these accounts in automation scripts.
- Local account for accessing VMware Cloud Foundation APIs when vCenter Server is down.
- Service accounts are automatically created by VMware Cloud Foundation for inter-product interaction. These are for system use only.