About Identity and Access Management for VMware Cloud Foundation

The Identity and Access Management for VMware Cloud Foundation validated solution provides detailed design, implementation, configuration, and operation guidance on the use of Active Directory as an identity provider and authentication source, and on the use of role-based access control (RBAC) in VMware Cloud Foundation™ SDDC Manager™, VMware vCenter Server^®, VMware ESXi™, and VMware NSX-T™ Data Center. This document also provides guidance on password management, password policies, and account lockout policies where applicable for the components of the solution.

A VMware validated solution is a technical validated implementation that is built and tested by VMware and VMware partners to help customers resolve common business use cases. VMware validated solutions are operational, cost-effective, performant, reliable, and secure. Each solution contains a detailed design, implementation, and operational guidance.

Automation for This Design in VMware Cloud Foundation

The implementation tasks for some design decisions are automated by VMware Cloud Foundation™ SDDC Manager. You must perform the implementation manually for the rest of the design decisions as noted in the design implication.

To provide a fast and efficient path to automating the Identity and Access Management for VMware Cloud Foundation implementation, this document provides Microsoft PowerShell cmdlets as code-based alternatives to completing certain procedures in each SDDC component's user interface. You can directly reuse the PowerShell commands by replacing the provided sample values with values from your VMware Cloud Foundation Planning and Preparation Workbook.

Intended Audience

The Identity and Access Management for VMware Cloud Foundation documentation is intended for cloud architects and administrators who are familiar with and want to use VMware software and a role-based access control solution using a central identity provider for VMware Cloud Foundation.

Support Matrix

The Identity and Access Management for VMware Cloud Foundation validated solution is compatible with certain versions of the VMware products that are used for implementing the solution.

Table 1. Software Components in Identity and Access Management for VMware Cloud Foundation
VMware Cloud Foundation Version	Product Group	Component Versions
4.5.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.5 Release Notes.
4.5.0	Solution-added products	Workspace ONE Access 3.3.6
4.4.1	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.4.1 Release Notes.
4.4.1	Solution-added products	Workspace ONE Access 3.3.6
4.4.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.4 Release Notes.
4.4.0	Solution-added products	Workspace ONE Access 3.3.6
4.3.1	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.3.1 Release Notes.
4.3.1	Solution-added products	Workspace ONE Access 3.3.5
4.3.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.3 Release Notes.
4.3.0	Solution-added products	Workspace ONE Access 3.3.5
4.2.1	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.2.1 Release Notes.
4.2.1	Solution-added products	Workspace ONE Access 3.3.4
4.2.0	Products part of VMware Cloud Foundation	See VMware Cloud Foundation 4.2 Release Notes.
4.2.0	Solution-added products	Workspace ONE Access 3.3.4

Before You Apply This Guidance

To design and implement the Identity and Access Management for VMware Cloud Foundation validated solution, your environment must have a certain configuration.

Table 2. Supported VMware Cloud Foundation Deployment
Workload Domain	Deployment Details
Management domain	Automated deployment using VMware Cloud Builder™ Availability of overlay-backed or VLAN-backed NSX segments in NSX-T Data Center for traffic in the same VMware Cloud Foundation instance and between VMware Cloud Foundation instances not required. See the following VMware Cloud Foundation Documentation: For information on designing the management domain, see VMware Cloud Foundation Design Guide for the Management Domain. For information on deploying the management domain, see VMware Cloud Foundation Getting Started Guide and VMware Cloud Foundation Deployment Guide.
(Optional) One or more virtual infrastructure workload domains	Automated deployment using SDDC Manager. See the following VMware Cloud Foundation Documentation: For information on designing the VI workload domain, see VMware Cloud Foundation Design Guide for a Virtual Infrastructure Workload Domain. For information on deploying the VI workload domain, see VMware Cloud Foundation Getting Started Guide and VMware Cloud Foundation Operations and Administration Guide.

Overview of Identity and Access Management for VMware Cloud Foundation

By applying the Identity and Access Management for VMware Cloud Foundation validated solution, you implement centralized RBAC for the management components of VMware Cloud Foundation, and configure password policies according to security best practices.

Table 3. Implementation Overview of Identity and Access Management for VMware Cloud Foundation
Stage	Steps
1. Plan and prepare the VMware Cloud Foundation environment	Work with the technology team of your organization on configuring the physical servers, network, and storage in the data center. Collect the environment details and write them down in the VMware Cloud Foundation Planning and Preparation Workbook.
2. Activate role-based access control on vCenter Server and SDDC Manager	Connect the management domain vCenter Server to Active Directory. Grant the required roles and permissions to Active Directory security groups and service accounts. Configure password rotation and lockout policy for the local and service accounts where applicable.
3. Activate role-based access control on NSX-T Data Center	Deploy a standalone VMware Workspace ONE^® Access™ instance for local use in the VMware Cloud Foundation instance. Connect the standalone Workspace ONE Access instance to Active Directory. Grant the Active Directory security groups and service accounts default or custom roles that are required to manage the standalone Workspace ONE Access instance. Configure password rotation and lockout policy in the standalone Workspace ONE Access instance for the user and service accounts where applicable. Connect the NSX Manager instances for the management and workload domains to the standalone Workspace ONE Access instance. Grant the Active Directory security groups and service accounts that require to access manage or interact with NSX Manager Configure password rotation and lockout policy in NSX-T Data Center for the user and service accounts where applicable. Reconfigure the integration between NSX-T Data Center and vSphere to limit privileges and scope of access of the NSX service accounts in the vCenter Server Single Sign-On.

Update History

The Identity and Access Management for VMware Cloud Foundation validated solution is updated when necessary.


Revision	Description
28 FEB 2023	The PowerValidatedSolutions PowerShell module is now version 2.0.1.
31 JAN 2023	The solution now updates the password policy management design. See Information Security and Access of Identity and Access Management for VMware Cloud Foundation. The solution now provides guidance on password policy management by product for the following procedures. Configuring Password Expiration for Identity and Access Management for VMware Cloud Foundation Configuring Password Complexity Policies for Identity and Access Management for VMware Cloud Foundation Configuring Account Lockout Policies for Identity and Access Management for VMware Cloud Foundation Password Rotation and Remediation for Identity and Access Management for VMware Cloud Foundation The PowerValidatedSolutions PowerShell module is now version 2.0.0, adding support for the following procedure. Password Policy Configuration with the Password Policy Manager in PowerShell
29 NOV 2022	The VMware.PowerCLI PowerShell module is now version 12.7.0. The VMware.vSphere.SsoAdmin PowerShell module is now version 1.3.8. The PowerValidatedSolutions PowerShell module is now version 1.10.0.
25 OCT 2022	This validated solution now supports VMware Cloud Foundation 4.5.0. The PowerValidatedSolutions PowerShell module is now version 1.9.0.
27 SEPT 2022	This solution now provides guidance on automated password policy management for specific SDDC components. See Password Policy Configuration with the Password Policy Manager in PowerShell. The PowerValidatedSolutions PowerShell module is now version 1.8.0.
31 MAY 2022	This validated solution now supports VMware Cloud Foundation 4.4.1. The PowerVCF PowerShell module is now version 2.2.0. The PowerValidatedSolutions PowerShell module is now version 1.7.0.
28 APR 2022	The PowerValidatedSolutions PowerShell module is now version 1.6.0, adding support for the following implementation procedures. Add a VMware Identity Manager Adapter for the Standalone Workspace ONE Access Instance
29 MAR 2022	The PowerValidatedSolutions PowerShell module is now version 1.5.0, adding support for the following implementation procedures. Install and Configure the vRealize Log Insight Agent on the Standalone Workspace ONE Access Appliance Create a vRealize Log Insight Identity Manager Agent Group for the Standalone Workspace ONE Access Create a vRealize Log Insight Photon OS Agent Group for the Standalone Workspace ONE Access Removing the procedure Configure the vRealize Log Insight Agent on the Standalone Workspace ONE Access Appliance. This design now includes a design decision IAM-WSA-LOG-003 for configuring a dedicated Identity Manager Agent group for the standalone Workspace ONE Access instance. See Logging for Identity and Access Management for VMware Cloud Foundation. This design now includes a design decision IAM-WSA-LOG-004 for configuring a dedicated Photon OS agent group for the standalone Workspace ONE Access instance. See Logging for Identity and Access Management for VMware Cloud Foundation.
22 FEB 2022	This validated solution now supports VMware Cloud Foundation 4.4.0. This validated solution now requires installation of the ImportExcel PowerShell module. The PowerValidatedSolutions PowerShell module is now version 1.4.0. The VMware.PowerCLI PowerShell module is now version 12.4.1. Adding a procedure for configuring a Ping adapter for the standalone Workspace ONE Access. See Add Ping Adapter for the Standalone Workspace ONE Access Instance.
25 JAN 2022	The VMware.vSphere.SsoAdmin PowerShell module is now version 1.3.7. The PowerValidatedSolutions PowerShell module is now version 1.3.0, adding support for the following implementation procedures. Assign NSX-T Data Center Roles to Active Directory Groups
30 NOV 2021	The PowerValidatedSolutions PowerShell module is now version 1.2.0. The PowerVCF PowerShell module is now version 2.1.7.
26 OCT 2021	The PowerValidatedSolutions PowerShell module is now version 1.1.0, adding support for the following implementation procedures. Reconfigure the vSphere Role and Permissions Scope for NSX-T Data Center Service Accounts Create a VM Group for the Standalone Workspace ONE Access Instance The operational guidance now includes shutdown and startup procedures for the solution components. See Shutdown and Startup of Identity and Access Management for VMware Cloud Foundation.
05 OCT 2021	Added support: VMware Cloud Foundation 4.3.1 is now supported. VxRail is now supported.
24 AUG 2021	Initial release.