In the process of authenticating to the cloud-based administrative console, the first login screen requires an existing My VMware account that is associated with your Horizon Cloud environment. To grant other users in your company or organization the ability to log in to that first login screen, you associate the individual users' My VMware accounts with your environment. You also associate each My VMware account with an appropriate role. The role that you assign to an individual's account should align with the types of actions that you want to permit that individual to perform in your environment using the console.
Because this role described here governs what the actions can be performed in the authenticated session while the other, Active Directory domain-related, role governs which areas of the console are visible in the session, you must ensure that the overall combination of the two roles continues to reflect the outcomes you want for a particular individual, even as the individual moves to different job positions and Active Directory groups within your organization. For details of the two types of roles and the best-practice pairings of the role assignments, see Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment.
The role that you assign using the steps here is one of the two types of roles that the console uses to determine both what a person's authenticated session allows that person to view in the console and what actions they can perform on what they can see in the console. The role assigned to the My VMware account determines the following items:
- Whether an individual has the ability to authenticate to the console using the My VMware login screen.
- Whether the person can view all of the console's areas or a subset of the areas, such as the the help-desk-related areas.
- The specific actions the person is able to invoke in the console, within the areas they can view.
In addition to the role associated with an My VMware account, when Active Directory domains are registered with your Horizon Cloud tenant, the role that is assigned to a person's Active Directory group grants their user account with access that works in tandem with the role associated with their My VMware account. The role assigned to the Active Directory group to which the user account belongs controls which of the console's elements are accessible to that person after they log in using their Active Directory account credentials at the console's second login screen. For a list of those roles, see Assign Roles to Active Directory Groups that Control Which Areas of the Horizon Universal Console are Activated for Individuals in Those Groups After They Authenticate to Your Horizon Cloud Tenant Environment.
In the console, you associate My VMware accounts with your environment using either the My VMware Accounts area in the General Setup area of the Getting Started wizard or the General Settings page.
Procedure
Results
If all of the added My VMware account IDs exist at vmware.com, they can be used to authenticate in the first Horizon Cloud login screen.
What to do next
If the added users' Active Directory accounts are in Active Directory groups which do not yet have an associated Horizon Cloud role, complete the steps described in Assign Roles to Active Directory Groups that Control Which Areas of the Horizon Universal Console are Activated for Individuals in Those Groups After They Authenticate to Your Horizon Cloud Tenant Environment. Follow the best-practice pairings described in Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment.