In the process of authenticating to the cloud-based administrative console, after authenticating to the initial login screen using a My VMware account, the individual from your organization enters their Active Directory user account credentials in the second login screen, according to the Active Directory domain you have registered with the environment. The system provides predefined roles that you can assign to your various Active Directory groups. These Active Directory domain-related roles control which areas of the console are viewable and enabled or viewable and deactivated, as the logged-in person navigates through the console. You must assign a role to your organization's appropriate Active Directory groups so that the users in that group can use the console to do the work activities you want them to do.
The role that you assign using the steps here is one of the two types of roles that the console uses to determine both what a person's authenticated session allows that person to view in the console and what actions they can perform on what they can see in the console. In the standard login workflow, the console's first login screen uses My VMware accounts, which are associated with roles using the General Settings page. The second login screen uses Active Directory credentials, which are associated with roles using this Roles & Permissions page. These Active Directory domain-related roles determine the visibility of the console's features and elements. This role also determines which user-interface elements might appear deactivated as the person navigates through the console. For example, a person in an Active Directory group that is assigned the Help Desk Read Only Administrator role can navigate to the user cards for end users and view the information, but not perform operations on the desktops. A person in an Active Directory group that is assigned the Help Desk Administrator role can navigate to the user cards and perform troubleshooting operations as well as view the information.
These Active Directory domain-related roles work tandem with the roles on the My VMware accounts that people in your organization use to log in using the standard login workflow. Therefore, you must ensure that the overall combination of the two roles continues to reflect the outcomes you want for a particular individual, even as the individual moves to different job positions and Active Directory groups within your organization. For details of the two types of roles and the best-practice pairings of the role assignments, see Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment.
This point that the roles can be assigned only to groups and not individual accounts also means you must avoid assigning two roles to the same Active Directory domain group. The Super Administrator role is intended to grant all the permissions to perform all management actions in the console and the Demo Administrator role is a read-only role. If you give both of those roles to the same Active Directory group, all of the users in that group will not receive the permissions of the Super Administrator role. Their actions are restricted in the console, which might prevent availability of full management of your environment.
The following predefined roles are provided by default. The predefined roles cannot be modified.
|Super Administrator||A mandatory role that you must assign to at least one group in your Active Directory domain and optionally to others. This role grants all the permissions to access all areas of the console and perform management actions in the console.
The primary and auxiliary domain bind accounts are always assigned the Super Administrator role, which grants all the permissions to perform management actions in the console. You should ensure that your specified domain bind accounts are not accessible to users that you do not want to have Super Administrator permissions.
Note: If your pod fleet has any pods running manifests older than 1600.0, you must ensure the domain-join account is in one of the groups to which you grant the Super Administrator role. For details, see Service Accounts That Horizon Cloud Requires for Its Operations.
|Help Desk Administrator||A role that you can optionally assign to one or more groups. The purpose of this role is to provide access to the console so that your Active Directory groups with this role can work with the user card features to:
|Help Desk Read Only Administrator||A role that you can optionally assign to one of more groups. The purpose of this role is to provide access to the console so that your Active Directory groups with this role can work with the user card features to see the status of end user sessions.|
|Demo Administrator||A role that you can optionally assign to one or more groups. When paired with the Customer Administrator Readonly role on the My VMware account, the users in this group can view the settings and select options to see additional choices in the console, but the selections do not change the configuration settings.|
- Super Administrator
- Help Desk Administrator
- Demo Administrator
- Help Desk Read Only Administrator
As a result of this precedence order, if a user's Active Directory account belongs to both Active Directory groups ADGroup1 and ADGroup2, and you assign the Super Administrator role to ADGroup1 and assign the Help Desk Read Only Administrator role to ADGroup2, the console will display all of the features according to the Super Administrator role, instead of the subset of features for the other role, because the Super Administrator role takes precedence.
Also review the roles assigned to the group's members' My VMware accounts to ensure those roles are aligned with the role you are assigning to their Active Directory group. Follow the best-practice pairings described in Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment.
- In the console, navigate to .
- Select one of the predefined roles and click Edit.
- Use the search box to search for and select an Active Directory group.
You must type at least three characters into the search box to have results appear.The group is added to the set of selected groups.
- Click Save.
What to do next
Ensure the users in the domain group have the appropriate roles on their My VMware accounts. See Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment and Give Administrative Roles to Individuals in Your Organization for Logging In To and Performing Actions in Your Horizon Cloud Tenant Environment Using the Horizon Universal Console.