Implementation of Identity and Access Management for VMware Cloud Foundation

To provide role-based access control for the SDDC, you configure an identity provider in vCenter Server. That becomes the identity provider for both vCenter Server and SDDC Manager. You then integrate NSX Manager with Workspace ONE Access to activate the use of Microsoft Active Directory over LDAP with SSL.

To implement and configure role-based access control for the SDDC, two alternative methods exist: by using the user interface of each component in the solution or by using PowerShell cmdlets. You can directly reuse the PowerShell commands by replacing the provided sample values with values from your VMware Cloud Foundation Planning and Preparation Workbook.

Active Directory security groups and users are assigned to default and custom roles. Password and account lockout policies are configured based on the security and compliance standards used by your organization.

For information on the role-based access control (RBAC) design, see Detailed Design of Identity and Access Management for VMware Cloud Foundation.

Prerequisites

To complete the implementation of Identity and Access Management for VMware Cloud Foundation validated solution, verify that your system fulfills the following prerequisites.

Table 1. Prerequisites for Implementation of Identity and Access Management for VMware Cloud Foundation
Category	Prerequisite
Environment	Verify that your VMware Cloud Foundation version is listed in the Support Matrix for this solution. Verify that you configure your environment according to Before You Apply This Guidance. Verify that you capture all parameters for the Identity and Access Management tab of the VMware Cloud Foundation Planning and Preparation Workbook. Verify that your VMware Cloud Foundation instance is healthy and fully operational.
Software	Download the Workspace ONE Access .ova file and make it available on the machine that you use to access the vSphere Client.
Active Directory	Verify that Active Directory Domain Controllers are available in the environment. Verify that the required service accounts are created in Active Directory. Verify that the required security groups are created in Active Directory.
Certificate Authority	Verify that a Microsoft Certificate Authority is available for the environment. Verify that you download the CertGenVVS utility and it is available for generating certificates. See Certificate Generation Utility for VMware Validated Solutions

If you want to use the infrastructure-as-code method for the implementation and configuration of the Identity and Access Management for VMware Cloud Foundation validated solution, verify that your system fulfills the following prerequisites.

Table 2. Prerequisites for CLI Implementation of Identity and Access Management for VMware Cloud Foundation
CLI Method	Prerequisite
PowerShell	Verify that your system has Microsoft PowerShell 5.1 installed. See Microsoft PowerShell. Verify that your system has VMware OVF Tool version 4.3.0 or higher installed to the default path (C:\Program Files\VMware\VMware OVF Tool\). Verify that your system has OpenSSL version 1.0.2g or higher installed and added to the Windows PATH system variable. Install the PowerValidatedSolutions PowerShell module together with the supporting modules from the PowerShell Gallery by running the following commands. Install-Module -Name VMware.PowerCLI -MinimumVersion 12.7.0 Install-Module -Name VMware.vSphere.SsoAdmin -MinimumVersion 1.3.8 Install-Module -Name ImportExcel -MinimumVersion 7.1.1 Install-Module -Name PowerVCF -MinimumVersion 2.2.0 Install-Module -Name PowerValidatedSolutions -MinimumVersion 2.1.0 Import the PowerValidatedSolutions and the PowerCLI PowerShell modules by running the following commands. Import-Module -Name VMware.PowerCLI -MinimumVersion 12.7.0 Import-Module -Name PowerValidatedSolutions -MinimumVersion 2.1.0