In the process of authenticating to the cloud-based administrative console, after authenticating to the initial login screen using a My VMware account, the individual from your organization enters their Active Directory user account credentials in the second login screen, according to the Active Directory domain you have registered with the environment. The system provides predefined roles that you can assign to your various Active Directory groups. These Active Directory domain-related roles control which areas of the console are viewable and enabled or viewable and deactivated, as the logged-in person navigates through the console. You must assign a role to your organization's appropriate Active Directory groups so that the users in that group can use the console to do the work activities you want them to do.

The role that you assign using the steps here is one of the two types of roles that the console uses to determine both what a person's authenticated session allows that person to view in the console and what actions they can perform on what they can see in the console. In the standard login workflow, the console's first login screen uses My VMware accounts, which are associated with roles using the General Settings page. The second login screen uses Active Directory credentials, which are associated with roles using this Roles & Permissions page. These Active Directory domain-related roles determine the visibility of the console's features and elements. This role also determines which user-interface elements might appear deactivated as the person navigates through the console. For example, a person in an Active Directory group that is assigned the Help Desk Read Only Administrator role can navigate to the user cards for end users and view the information, but not perform operations on the desktops. A person in an Active Directory group that is assigned the Help Desk Administrator role can navigate to the user cards and perform troubleshooting operations as well as view the information.

These Active Directory domain-related roles work tandem with the roles on the My VMware accounts that people in your organization use to log in using the standard login workflow. Therefore, you must ensure that the overall combination of the two roles continues to reflect the outcomes you want for a particular individual, even as the individual moves to different job positions and Active Directory groups within your organization. For details of the two types of roles and the best-practice pairings of the role assignments, see Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment.

Note: Role changes that you make using the Horizon Cloud Service platform — through VMware Cloud services at cloud.vmware.com — do not appear in the Horizon Universal Console. You must make role changes directly in the Horizon Universal Console as described below.
Caution: Keep in mind that the Super Administrator role governs which of your AD user accounts can log in to your Horizon Cloud tenant account and perform administrative operations in the console, including the steps here to assign roles to your AD groups. If you have only a sole, single AD group assigned to the Super Administrator role, do not remove that administrator group from your Active Directory system or change its GUID as it appears in your Active Directory system until you have added another administrator group to this Super Administrator role. If you remove the group from your Active Directory system or change it such that its GUID in your Active Directory system changes, that change will not be communicated to the Horizon Cloud control plane, and Horizon Cloud's knowledge of that AD group having the Super Administrator role will be broken. If that group is the sole group you have assigned to the Super Administrator role, it might possibly result in none of your AD accounts that used to be able to log in with Super Administrator access level will be able to log in and perform administrative operations, including the operation to assign the role to an AD group to re-establish a set of AD accounts with Super Administrator access. The domain-bind account is always assigned the Super Administrator role. If you have removed your sole, single AD group assigned to the Super Administrator role, and the domain-bind account was not in that group, you can try logging in to the console using the domain-bind account credentials and performing the steps to assign the Super Administrator role to a new AD group. However, if you cannot successfully log in using the domain-bind account, you'll have to contact VMware Support to assist you in recovering administrative access to your tenant account.
Important: These Horizon Cloud roles can be assigned to groups only. The system does not provide a way for you to choose individual Active Directory user accounts for each role.

This point that the roles can be assigned only to groups and not individual accounts also means you must avoid assigning two roles to the same Active Directory domain group. The Super Administrator role is intended to grant all the permissions to perform all management actions in the console and the Demo Administrator role is a read-only role. If you give both of those roles to the same Active Directory group, all of the users in that group will not receive the permissions of the Super Administrator role. Their actions are restricted in the console, which might prevent availability of full management of your environment.

The following predefined roles are provided by default. The predefined roles cannot be modified.

Table 1. Horizon Cloud Role-Based Access Control Groups
Role Description
Super Administrator A mandatory role that you must assign to at least one group in your Active Directory domain and optionally to others. This role grants all the permissions to access all areas of the console and perform management actions in the console.

The primary and auxiliary domain bind accounts are always assigned the Super Administrator role, which grants all the permissions to perform management actions in the console. You should ensure that your specified domain bind accounts are not accessible to users that you do not want to have Super Administrator permissions.

Note: If your pod fleet has any pods running manifests older than 1600.0, you must ensure the domain-join account is in one of the groups to which you grant the Super Administrator role. For details, see Service Accounts That Horizon Cloud Requires for Its Operations.
Help Desk Administrator A role that you can optionally assign to one or more groups. The purpose of this role is to provide access to the console so that your Active Directory groups with this role can work with the user card features to:
  • See the status of end user sessions.
  • Perform troubleshooting operations on the sessions.
Help Desk Read Only Administrator A role that you can optionally assign to one of more groups. The purpose of this role is to provide access to the console so that your Active Directory groups with this role can work with the user card features to see the status of end user sessions.
Demo Administrator A role that you can optionally assign to one or more groups. When paired with the Customer Administrator Readonly role on the My VMware account, the users in this group can view the settings and select options to see additional choices in the console, but the selections do not change the configuration settings.

Prerequisites

Caution: Prior to assigning roles to your existing Active Directory groups, review the user account membership in the Active Directory groups to ensure a user account receives only one of these Horizon Cloud roles. Create specific Active Directory groups if needed. Because these roles are assigned at the level of the Active Directory group, some unexpected results can occur if a user's Active Directory account belongs to two Active Directory groups and each group is assigned a different role. The console's features are visible according to this precedence order:
  1. Super Administrator
  2. Help Desk Administrator
  3. Demo Administrator
  4. Help Desk Read Only Administrator

As a result of this precedence order, if a user's Active Directory account belongs to both Active Directory groups ADGroup1 and ADGroup2, and you assign the Super Administrator role to ADGroup1 and assign the Help Desk Read Only Administrator role to ADGroup2, the console will display all of the features according to the Super Administrator role, instead of the subset of features for the other role, because the Super Administrator role takes precedence.

Also review the roles assigned to the group's members' My VMware accounts to ensure those roles are aligned with the role you are assigning to their Active Directory group. Follow the best-practice pairings described in Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment.

Procedure

  1. In the console, navigate to Settings > Roles & Permissions.
  2. Select one of the predefined roles and click Edit.
  3. Use the search box to search for and select an Active Directory group.
    You must type at least three characters into the search box to have results appear.
    The group is added to the set of selected groups.
  4. Click Save.

What to do next

Ensure the users in the domain group have the appropriate roles on their My VMware accounts. See Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment and Give Administrative Roles to Individuals in Your Organization for Logging In To and Performing Actions in Your Horizon Cloud Tenant Environment Using the Horizon Universal Console.