Identity Management Design for Private Cloud Automation for VMware Cloud Foundation

As an organization owner, you add users to your organization and provide access to the VMware Aria Automation services.

As the cloud administrator for VMware Aria Automation, you establish an integration with your organization's identity provider through Workspace ONE Access which allows you to use your organization directory services for VMware Aria Automation authentication. After the integration, you can control authorization to your VMware Aria Automation organization, services, and projects by assigning organization and service roles to security groups, such as Active Directory security groups. The Organization owner role allows you add users and security groups to your organization and provide access to the VMware Aria Automation services.

Assigning roles to security groups is more efficient than assigning roles to individual users. As an Organization owner, you determine the members that make up your groups and what roles they are assigned. In VMware Aria Automation, enterprise groups are groups that are derived from your Workspace ONE Access connected directories and available for use in your organization. As an Organization owner, you can add and change the role assignment for an enterprise group. In this solution, enterprise groups are used to assign organization, service, and project roles.

For more information about organization roles and their permissions, see the VMware Aria Automation documentation.

For information about the roles for the VMware Aria Automation services in this design, see Service Roles Design for VMware Aria Automation Assembler for Private Cloud Automation for VMware Cloud Foundation, Service Role Design for VMware Aria Automation Service Broker for Private Cloud Automation for VMware Cloud Foundation, and Service Role Design for VMware Aria Automation Orchestrator for Private Cloud Automation for VMware Cloud Foundation.

Table 1. Design Decisions on Identity Management for VMware Aria Automation
Decision ID	Design Decision	Design Justification	Design Implication
PCA-VAA-SEC-001	Limit the use of the local accounts for both interactive or API access and solution integration.	Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.	You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.
PCA-VAA-SEC-002	Limit the scope and privileges for accounts used for both interactive or API access and solution integration.	The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.	You might need to define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.
PCA-VAA-SEC-003	Assign Active Directory user accounts to security groups following your organization's access policies	Allows Active Directory security groups to be assigned to roles in SDDC components for streamlined management of access and administrative privileges.	You must define and manage security groups, group membership, and security controls in Active Directory.
PCA-VAA-SEC-004	Assign Active Directory security groups to default or custom roles, as applicable, for interactive or API access to solution components based on your organization's business and security requirements.	Using Active Directory security group membership provides greater flexibility in granting access to roles across solution components. Ensuring that each user logs in with a unique Active Directory user account provides greater visibility for auditing. Each organization has its own internal processes. Evaluate the needs for additional role separation in your organization and implement mapping from Active Directory users to Active Directory security groups and default or custom roles.	You must manage the privileges assigned to custom roles. You must manage the assignment and scope of the based on the business and security requirements. Additional Active Directory security groups must be created in advance to assigning roles. You must maintain the life cycle and availability of Active Directory security groups outside of the SDDC stack. The principle of least privilege is only one aspect of access management and should be part of a comprehensive defense-in-depth security strategy that's aligned with organization personas.
PCA-VAA-SEC-005	Activate VMware Aria Automation integration with Active Directory by using the clustered Workspace ONE Access deployment.	Allows authentication for VMware Aria Automation using Active Directory as the identity provider. Allows authorization through the assignment of both VMware Aria Automation organization and service roles to users and security groups defined in Active Directory.	You must deploy and configure the clustered Workspace ONE Access nodes to establish the integration between VMware Aria Automation and Active Directory. The clustered Workspace ONE Access deployment must be sized and scaled to support the VMware Aria Automation size and scale.
PCA-VAA-SEC-006	Assign VMware Aria Automation organization service and project roles to designated Active Directory. security groups synchronized to the clustered Workspace ONE Access deployment.	By assigning Active Directory security groups to organization and service roles, you can simplify and manage user access to VMware Aria Automation based on the Active Directory security group membership.	You must define and manage the security groups, group membership, and security controls in Active Directory for those directory services objects used by VMware Aria Automation.