In the process of authenticating to the cloud-based administrative console, after authenticating to the initial login screen, the individual from your organization enters their Active Directory user account credentials in the second login screen, according to the Active Directory domain you have registered with the environment. The system provides predefined roles that you can assign to your various Active Directory groups. These Active Directory domain-related roles control which areas of the console are viewable and enabled or viewable and deactivated, as the logged-in person navigates through the console. You must assign a role to your organization's appropriate Active Directory groups so that the users in that group can use the console to do the work activities you want them to do.
- Whether the feature depends on system code available only in the latest Horizon Cloud pod manifest, Horizon pod version, or Horizon Cloud Connector version.
- Whether access to the feature is in Limited Availability, as stated in the Release Notes at the feature's debut.
- Whether the feature requires specific licensing or SKUs.
When you see mention of a feature in this documentation and you do not see that feature in the console, first check the Release Notes to see if the feature's access is limited and the way you can request enablement in your tenant. Alternatively, when you believe you are entitled to use a feature that is described in this documentation and you do not see it in the console, you can ask your VMware Horizon Cloud Service representative or, if you do not have a representative, you can file a service request (SR) to the Horizon Cloud Service team as described in How to file a Support Request in Customer Connect (VMware KB 2006985).
The role that you assign using the steps here is one of the two types of roles that the console uses to determine both what a person's authenticated session allows that person to view in the console and what actions they can perform on what they can see in the console.
In the standard login workflow, the console's first login screen uses VMware Customer Connect accounts, which are associated with roles using the General Settings page. These accounts were called My VMware accounts in the past.
The second login screen uses Active Directory (AD) credentials, which are associated with roles using this Roles & Permissions page. These AD domain-related roles determine the visibility of the console's features and elements. This role also determines which user-interface elements might appear deactivated as the person navigates through the console.
For example, a person in an AD group that is assigned the Assignment Administrator role can perform operations related to the management of end-user assignments and farms, but cannot perform other types of operations. A person in an AD group with the Help Desk Read Only Administrator role can navigate to the user cards for end users and view the information, but not perform troubleshooting operations on user sessions. In contrast, a person in an AD group with the Help Desk Administrator role can navigate to and view information on user cards and also perform troubleshooting operations on user sessions. For the Help Desk Administrator role, you can also limit the scope of troubleshooting operations that an AD group can perform.
These AD domain-related roles work tandem with the roles on the VMware Customer Connect accounts that people in your organization use to log in using the standard login workflow. Therefore, you must ensure that the overall combination of the two roles continues to reflect the outcomes you want for a particular individual, even as the individual moves to different job positions and AD groups within your organization. For details of the two types of roles and the best-practice pairings of the role assignments, see Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment.
This point that the roles can be assigned only to groups and not individual accounts also means you must avoid assigning two roles to the same AD group. The Super Administrator role is intended to grant all the permissions to perform all management actions in the console and the Demo Administrator role is a read-only role. If you give both of those roles to the same AD group, all of the users in that group will not receive the permissions of the Super Administrator role. Their actions are restricted in the console, which might prevent availability of full management of your environment.
The following predefined roles are provided by default. The predefined roles cannot be modified.
A mandatory role that you must assign to at least one group in your AD domain and optionally to others. This role grants all the permissions to access all areas of the console and perform management actions in the console.
The primary and auxiliary domain bind accounts are always assigned the Super Administrator role, which grants all the permissions to perform management actions in the console. You should ensure that your specified domain bind accounts are not accessible to users that you do not want to have Super Administrator permissions.
Note: If your pod fleet has any pods running manifests older than 1600.0, you must ensure the domain-join account is in one of the groups to which you grant the Super Administrator role. For details, see Service Accounts That Horizon Cloud Requires for Its Operations.
If your tenant environment is enabled for this capability, you can optionally assign this role to one or more groups. AD groups with this role have access to the console to create, modify, and delete end-user assignments and farms. Groups with this role can also perform operations related to the management of assignments and farms, such as VM configuration, power management, and configuration of remote applications.
|Help Desk Administrator||A role that you can optionally assign to one or more groups. The purpose of this role is to provide access to the console so that your AD groups with this role can work with the user card features to:
By default, AD groups with this role have permissions to perform troubleshooting operations on sessions associated with any assignment or farm listed in the console. If your tenant environment is enabled for this capability, you can also optionally modify the permissions for a group to limit the scope of that group's troubleshooting operations to only those sessions associated with certain assignments and farms. To modify the permissions scope of a group, click the edit icon for that group.
Note: If you include an assignment or farm in the permissions scope of an AD group and later try to delete that assignment or farm, it is immediately removed from the permissions scope of the group. If the deletion process fails and the assignment or farm is still present, you must manually add it back into the permissions scope to preserve the group's access to it.
|Help Desk Read Only Administrator||A role that you can optionally assign to one of more groups. The purpose of this role is to provide access to the console so that your AD groups with this role can work with the user card features to see the status of end user sessions.|
|Demo Administrator||A role that you can optionally assign to one or more groups. When paired with the Customer Administrator Readonly role on the VMware Customer Connect account, the users in this group can view the settings and select options to see additional choices in the console, but the selections do not change the configuration settings.|
- Prior to assigning roles to your existing Active Directory groups, review the user account membership in the Active Directory groups to ensure a user account receives only one of these Horizon Cloud roles. Create specific Active Directory groups if needed. Because these roles are assigned at the level of the Active Directory group, some unexpected results can occur if a user's Active Directory account belongs to two Active Directory groups and each group is assigned a different role. The console's features are visible according to this precedence order:
- Super Administrator
- Assignment Administrator
- Help Desk Administrator
- Demo Administrator
- Help Desk Read Only Administrator
As a result of this precedence order, if a user's Active Directory account belongs to both Active Directory groups ADGroup1 and ADGroup2, and you assign the Super Administrator role to ADGroup1 and assign the Help Desk Read Only Administrator role to ADGroup2, the console will display all of the features according to the Super Administrator role, instead of the subset of features for the other role, because the Super Administrator role takes precedence.
- Also review the roles assigned to the group's members' VMware Customer Connect accounts to ensure those roles are aligned with the role you are assigning to their Active Directory group. Follow the best-practice pairings described in Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment.
- In the console, navigate to .
- Select one of the predefined roles and click Edit.
- Use the search box to search for and select an Active Directory group.
You must type at least three characters into the search box to have results appear.The group is added to the set of selected groups.
- Click Save.
Important: The system prevents saving the selected groups to the role if the save action would result in exceeding the system's supported maximum number of Active Directory groups that can be assigned across all roles. The supported maximum is stated in the Prerequisites section of this documentation topic.
What to do next
Ensure the users in the domain group have the appropriate roles on their VMware Customer Connect accounts. See Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment and Give Administrative Roles to Individuals in Your Organization for Logging In To and Performing Actions in Your Horizon Cloud Tenant Environment Using the Horizon Universal Console.