Assign Organization and Service Roles to the Groups for vRealize Automation for Private Cloud Automation for VMware Cloud Foundation

To manage access to services provided by vRealize Automation, assign organization roles and service roles to Active Directory security groups.

You assign organization and service roles to the groups that you synchronized for vRealize Automation from the Identity Provider into Workspace ONE Access.

Table 1. Active Directory Security Groups and Roles for vRealize Automation
Group Description	Organization Role	Service Role
Organization owners	Organization Owner	None
Cloud Assembly administrators	Organization Member	Cloud Assembly administrator
Cloud Assembly users	Organization Member	Cloud Assembly user
Cloud Assembly viewers.	Organization Member	Cloud Assembly viewer
Service Brokeradministrators	Organization Member	Service Broker administrator
Service Broker users	Organization Member	Service Broker user
Service Broker viewers	Organization Member	Service Broker viewer
Orchestrator administrators	Organization Member	Orchestrator administrator
Orchestrator workflow designers	Organization Member	Orchestrator workflow designer
Orchestrator viewers	Organization Member	Orchestrator viewers

UI Procedure

Log in to the vRealize Automation cloud services console at https://<vra_cluster_fqdn>/csp/gateway/portal as configadmin in the system domain.
On the main navigation bar, click Identity and access management.
Click the Enterprise groups tab and click Assign roles.
Assign an organization role and a service role to each of your Active Directory security groups from the VMware Cloud Foundation Planning and Preparation Workbook.

PowerShell Procedure

Start Windows PowerShell.

Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$vraUser = "configadmin"
$vraPass = "VMw@re1!"
$orgOwner = "gg-vra-org-owners@sfo.rainpole.io"
$cloudAssemblyAdmins = "gg-vra-cloud-assembly-admins@sfo.rainpole.io"
$cloudAssemblyUsers = "gg-vra-cloud-assembly-users@sfo.rainpole.io"
$cloudAssemblyViewers = "gg-vra-cloud-assembly-viewers@sfo.rainpole.io"
$serviceBrokerAdmins = "gg-vra-service-broker-admins@sfo.rainpole.io"
$serviceBrokerUsers = "gg-vra-service-broker-users@sfo.rainpole.io"
$serviceBrokerViewers = "gg-vra-service-broker-viewers@sfo.rainpole.io"
$orchestratorAdmins = "gg-vra-orchestrator-admins@sfo.rainpole.io"
$orchestratorDesigners = "gg-vra-orchestrator-designers@sfo.rainpole.io"
$orchestratorViewers = "gg-vra-orchestrator-viewers@sfo.rainpole.io"

Assign an organization role and a service role to each of your Active Directory security groups from the VMware Cloud Foundation Planning and Preparation Workbook.

Add-vRAGroup -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -vraUser $vraUser -vraPass $vraPass -displayName $orgOwner -orgRole org_owner
Add-vRAGroup -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -vraUser $vraUser -vraPass $vraPass -displayName $cloudAssemblyAdmins -orgRole org_member -serviceRole automationservice:cloud_admin
Add-vRAGroup -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -vraUser $vraUser -vraPass $vraPass -displayName $cloudAssemblyUsers -orgRole org_member -serviceRole automationservice:user
Add-vRAGroup -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -vraUser $vraUser -vraPass $vraPass -displayName $cloudAssemblyViewers -orgRole org_member -serviceRole automationservice:viewer
Add-vRAGroup -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -vraUser $vraUser -vraPass $vraPass -displayName $serviceBrokerAdmins -orgRole org_member -serviceRole catalog:admin
Add-vRAGroup -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -vraUser $vraUser -vraPass $vraPass -displayName $serviceBrokerUsers -orgRole org_member -serviceRole catalog:user
Add-vRAGroup -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -vraUser $vraUser -vraPass $vraPass -displayName $serviceBrokerViewers -orgRole org_member -serviceRole catalog:viewer
Add-vRAGroup -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -vraUser $vraUser -vraPass $vraPass -displayName $orchestratorAdmins -orgRole org_member -serviceRole orchestration:admin
Add-vRAGroup -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -vraUser $vraUser -vraPass $vraPass -displayName $orchestratorDesigners -orgRole org_member -serviceRole orchestration:designer
Add-vRAGroup -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -vraUser $vraUser -vraPass $vraPass -displayName $orchestratorViewers -orgRole org_member -serviceRole orchestration:viewer