In the process of authenticating to the cloud-based administrative console, the first login screen requires an existing My VMware account that is associated with your Horizon Cloud environment. To grant other users in your company or organization the ability to log in to that first login screen, you associate the individual users' My VMware accounts with your environment. You also associate each My VMware account with an appropriate role. The role that you assign to an individual's account should align with the types of actions that you want to permit that individual to perform in your environment using the console.
Because this role described here governs what the actions can be performed in the authenticated session while the other, Active Directory domain-related, role governs which areas of the console are visible in the session, you must ensure that the overall combination of the two roles continues to reflect the outcomes you want for a particular individual, even as the individual moves to different job positions and Active Directory groups within your organization. For details of the two types of roles and the best-practice pairings of the role assignments, see Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment.
The role that you assign using the steps here is one of the two types of roles that the console uses to determine both what a person's authenticated session allows that person to view in the console and what actions they can perform on what they can see in the console. The role assigned to the My VMware account determines the following items:
- Whether an individual has the ability to authenticate to the console using the My VMware login screen.
- Whether the person can view all of the console's areas or a subset of the areas, such as the the help-desk-related areas.
- The specific actions the person is able to invoke in the console, within the areas they can view.
In addition to the role associated with an My VMware account, when Active Directory domains are registered with your Horizon Cloud tenant, the role that is assigned to a person's Active Directory group grants their user account with access that works in tandem with the role associated with their My VMware account. The role assigned to the Active Directory group to which the user account belongs controls which of the console's elements are accessible to that person after they log in using their Active Directory account credentials at the console's second login screen. For a list of those roles, see Assign Roles to Active Directory Groups that Control Which Areas of the Horizon Universal Console are Activated for Individuals in Those Groups After They Authenticate to Your Horizon Cloud Tenant Environment.
- In the console, use one of these methods to associate My VMware accounts with your environment.
The list of My VMware Accounts already associated with your environment is displayed.
- From the Getting Started wizard, click .
- Click My VMware Accounts area. and scroll to the
- Add a row to the list by clicking the plus icon () that is visible by the list's bottom entry.
A new row appears with fields for entering a first name, last name, the My VMware account ID, and selecting a Horizon Cloud role.
- Make a row for each My VMware account you want to associate with your environment and enter the requested information in each row, including selecting a Horizon Cloud role.
The role defaults to Customer Administrator unless you select a different one. If you want to prevent the person from invoking actions in the console that result in anything more than viewing information, assign one of the read-only roles.
Role on the Person's My VMware Account Description Customer Administrator All actions in the console can be performed, including onboarding a pod or deleting items. Customer Administrator Readonly Prevents the invocation of actions that would change the environment, such as onboarding a pod or changing a general setting. Customer Helpdesk Within the console's help-desk-related areas, all of the help-desk-related actions can be performed. Customer Helpdesk Readonly Within the console's help-desk-related areas of the console, can only view information. Prevents the invocation of actions that would change things within those console areas.
- Click Save to save the information to the system.
If all of the added My VMware account IDs exist at vmware.com, they can be used to authenticate in the first Horizon Cloud login screen.
What to do next
If the added users' Active Directory accounts are in Active Directory groups which do not yet have an associated Horizon Cloud role, complete the steps described in Assign Roles to Active Directory Groups that Control Which Areas of the Horizon Universal Console are Activated for Individuals in Those Groups After They Authenticate to Your Horizon Cloud Tenant Environment. Follow the best-practice pairings described in Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment.