VMware Data Services Manager user accounts can originate from two different identity sources: the Provider local database (Local user) and a configured LDAP server (LDAP user). VMware Data Services Manager manages Local users and LDAP users independently and differently.

Recall that a VMware Data Services Manager organization is comprised of one or more users:

  • The Provider Org includes a single Provider Administrator Local user, and may include one or more LDAP users assigned the Provider Administrator role.
  • Similarly, a Tenant Org created by a Provider Administrator user includes at least one user, Local or LDAP. Each user in an organization is assigned the Organization Administrator or Organization User role in the org.

Local Users

The first Local user account created by VMware Data Services Manager is the Provider Administrator user created during deployment of the Provider VM. This user is mandatory and cannot be deleted. VMware Data Services Manager does not support adding additional Local users acting in the Provider Administrator role.

When a Provider Administrator user creates a Local user via the VMware Data Services Manager console, they must identify the organization to which the user belongs. A Local user can be a member of only a single organization.

VMware Data Services Manager uses the Email ID of a Local user as their account identifier. The Email ID of a user must be unique. (VMware Data Services Manager does not send an email validation to verify the validity of the supplied email.)

VMware Data Services Manager does not allow two organizations to share a Local user member with the exact same email address. If an individual must be a member of two organizations as a Local user, they must have two local accounts that specify different Email IDs and have differing organization assignment.

LDAP Users

An LDAP user is a user imported into VMware Data Services Manager from an existing LDAP identity provider. A Provider Administrator user must configure an LDAP server for the VMware Data Services Manager installation before LDAP users can be imported. This configuration may be completed during VMware Data Services Manager installation or after.

VMware Data Services Manager uses the configured LDAP server for both authentication and authorization.

The VMware Data Services Manager permissions assigned to an LDAP user depends on the LDAP groups in which they are a member, and the assignment and mapping of these LDAP groups to organizations and roles:

  • An LDAP user can be member of the Provider organization and a VMware Data Services Manager Tenant Org.
  • Depending upon the configuration of LDAP groups in the identity provider, an LDAP user may belong to more than one VMware Data Services Manager organization.
  • An LDAP user can have multiple roles in each member organization.

Login Process

For a given login, VMware Data Services Manager first attempts to authenticate a user as a Local user.

If the Email ID used to log in to VMware Data Services Manager matches that of a Local user and the correct password is provided, authentication succeeds. VMware Data Services Manager performs no further authentication or processing with LDAP.

If no matching Local user is found, VMware Data Services Manager attempts to authenticate against the configured LDAP server. If the domain name of the Email ID matches the registered LDAP server and the password is valid, authentication succeeds.

After successful authentication of any type, the user must select an organization for the current session. A Local user can choose the (single) organization to which they belong. An LDAP user may have multiple organizations and roles (format: Organization_name [role]) to choose from.

An LDAP user that is logged into an active VMware Data Services Manager session can change the effective organization/role for the session via a drop-down menu located in the upper right corner of the console.

Note: Be sure to keep user login precedence in mind as you create and import users into your VMware Data Services Manager installation.
check-circle-line exclamation-circle-line close-line
Scroll to top icon