You assign roles in vCenter Server to Active Directory security groups with global permissions. You can later assign access to users by adding them to the Active Directory security groups based on your organization's security controls.

You create and assign access to Active Directory security groups for the following roles in vCenter Server:

  • Administrator

  • Read-Only

UI Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui as [email protected].
  2. From the vSphere Client Menu, select Administration.

  3. In the Access control section, click Global permissions.

  4. On the Global Permissions page, click the Add.

  5. In the Add permission dialog box, configure the following settings, and configure the remaining settings according to your VMware Cloud Foundation Planning and Preparation Workbook, and click OK.

    Setting

    Value

    Propagate to children

    Selected

  6. To assign access to additional Active Directory security groups, repeat the previous step for all vCenter Server roles.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "[email protected]"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$domainFqdn = "sfo.rainpole.io"
$domainBindUserVsphere = "svc-vsphere-ad"
$domainBindPassVsphere = "VMw@re1!"

$vcenterAdminGroup = "gg-vc-admins"
$vcenterReadOnlyGroup = "gg-vc-read-only"

  3. Perform the configuration by running the command in the PowerShell console.

    Add-vCenterGlobalPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $sddcDomainName -domain $domainFqdn -domainBindUser $domainBindUserVsphere -domainBindPass $domainBindPassVsphere -principal $vcenterAdminGroup -role Admin -propagate true -type group

Add-vCenterGlobalPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $sddcDomainName -domain $domainFqdn -domainBindUser $domainBindUserVsphere -domainBindPass $domainBindPassVsphere -principal $vcenterReadOnlyGroup -role ReadOnly -propagate true -type group