vRealize Orchestrator Plug-in for Horizon uses a trusted account security model. The administrator provides the credentials to the initial configuration between the Horizon 7 pod and the plug-in. That trusted account is the security context that all workflows use between vRealize Orchestrator and Horizon 7.

Additional levels of permissions also restrict which users can see and edit the workflows within vRealize Orchestrator. All vRealize Orchestrator Plug-in for Horizon workflows must be explicitly configured for execution. Access to the workflows requires both the permissions and the vRealize Orchestrator client interaction with the client.

In addition, the third level of security is an access layer between where the workflows are run in vRealize Orchestrator and where they are exposed to delegated administrators and end users in the vSphere Web Client and vRealize Automation.

• Administrators use the VMware vCenter^® Single Sign-On implementation to allow access by users or groups to run workflows within vSphere Web Client.
• Administrators use the service catalog and entitlement mechanisms within vRealize Automation to manage which workflows are exposed to specific users and groups.