Implementation of Identity and Access Management for VMware Cloud Foundation

To provide role-based access control for the SDDC, you configure an identity provider in vCenter Server. That becomes the identity provider for both vCenter Server and SDDC Manager. You then configure an identity provider in NSX Manager useg of Microsoft Active Directory over LDAP with SSL.

To implement and configure role-based access control for the SDDC, alternative methods exist:

Table 1. Validated Solution Implementation Options
Method	Description
Implementation by using PowerShell automation	End-to-end automated implementation by using PowerShell. See Automated PowerShell Implementation of Identity and Access Management.
Implementation by using component user interfaces	End-to-end manual implementation by using components' user interfaces. See User Interface Implementation of Identity and Access Management.

Active Directory security groups and users are assigned to default and custom roles. Password and account lockout policies are configured based on the security and compliance standards used by your organization.

For information on the role-based access control (RBAC) design, see Detailed Design of Identity and Access Management for VMware Cloud Foundation.

Prerequisites

To complete the implementation of Identity and Access Management for VMware Cloud Foundation validated solution, verify that your system fulfills the following prerequisites.

Table 2. Prerequisites for Implementation of Identity and Access Management for VMware Cloud Foundation
Category	Prerequisite
Environment	Verify that your VMware Cloud Foundation version is listed in the Support Matrix for this solution. Verify that you configure your environment according to Before You Apply This Guidance. Verify that you capture all parameters for the Identity and Access Management tab of the VMware Cloud Foundation Planning and Preparation Workbook. Verify that your VMware Cloud Foundation instance is healthy and fully operational. See VMware Cloud Foundation Operations Guide.
Domain Name Service	Verify that the required DNS entries are created in the DNS server for the associated forward and reverse zones.
Active Directory	Verify that Active Directory Domain Controllers are available in the environment. Verify that the required service accounts are created in Active Directory. Verify that the required security groups are created in Active Directory.
Certificate Authority	Verify that a Microsoft Certificate Authority is available for the environment. Install the PowerShell Module for VMware Validated Solutions together with the supporting modules to request an SSL certificate from your Microsoft Certificate Authority. Verify that you have OpenSSL 3.0 or later installed on the system that will run the PowerShell module.