In the process of authenticating to the cloud-based administrative console, the first login screen requires an existing VMware Customer Connect account that is associated with your specific tenant. To grant other users in your company or organization the ability to log in to that first login screen, their individual VMware Customer Connect accounts must get associated with this same tenant, and with an appropriate role. The role assigned to an individual's account should align with the types of actions that you want to permit that individual to perform in the tenant using the console.
The role that you assign using the steps here is one of the two types of roles that the console uses to determine both what a person's authenticated session allows that person to view in the console and what actions they can perform on what they can see in the console. The role assigned to the VMware Customer Connect account determines the following items:
- Whether an individual has the ability to authenticate to the console using the console's login screen.
- Whether the person can view all of the console's areas or a subset of the areas, such as the the help-desk-related areas.
- The specific actions the person is able to invoke in the console, within the areas they can view.
In addition to the role associated with a VMware Customer Connect account, when Active Directory domains are registered with your Horizon Cloud tenant, the role that is assigned to a person's Active Directory group grants their user account with access that works in tandem with the role associated with their VMware Customer Connect account. The role assigned to the Active Directory group to which the user account belongs controls which of the console's elements are accessible to that person after they log in using their Active Directory account credentials at the console's second login screen. For a list of those roles, see Assign Roles to Active Directory Groups that Control Which Areas of the Horizon Universal Console are Activated for Individuals in Those Groups After They Authenticate to Your Horizon Cloud Tenant Environment.
You perform these steps using the Horizon Universal Console at https://cloud.horizon.vmware.com. In that console, you associate VMware Customer Connect accounts with your tenant. The location you use the console depends on whether your tenant has zero cloud-connected pods or already has at least one pod. When the tenant has zero cloud-connected pods yet, you must perform these steps using the Getting Started page. Until you have at least one cloud-connected pod, the console prevents access to its pages other than the Getting Started one.
- Whether the feature depends on system code available only in the latest Horizon Cloud pod manifest, Horizon pod version, or Horizon Cloud Connector version.
- Whether access to the feature is in Limited Availability, as stated in the Release Notes at the feature's debut.
- Whether the feature requires specific licensing or SKUs.
When you see mention of a feature in this documentation and you do not see that feature in the console, first check the Release Notes to see if the feature's access is limited and the way you can request enablement in your tenant. Alternatively, when you believe you are entitled to use a feature that is described in this documentation and you do not see it in the console, you can ask your VMware Horizon Cloud Service representative or, if you do not have a representative, you can file a service request (SR) to the Horizon Cloud Service team as described in How to file a Support Request in Customer Connect (VMware KB 2006985).
- Log in to the Horizon Universal Console at https://cloud.horizon.vmware.com.
- In the console, depending on whether you have zero cloud-connected pods or one or more cloud-connected pods, use one of these methods to associate VMware Customer Connect accounts with your environment.
Tip: The name My VMware was the former name of VMware Customer Connect. Both names are used interchangeably in the console.
The list of VMware Customer Connect accounts already associated with your environment is displayed.
- Zero cloud-connected pods
- Until your tenant has at least one pod in your pod fleet, the console prevents access to its pages other than Getting Started. On that page, click .
- One or more pods
- When your tenant has at least one cloud-connected pod, you have access to the console's General Settings page in addition to the Getting Started page. You can either use the Getting Started page's My VMware Accounts area or click and scroll to the My VMware Accounts area.
- Add a row to the list by clicking the plus icon () that is visible by the list's bottom entry.
A new row appears with fields for entering a first name, last name, the VMware Customer Connect account ID, and selecting a tenant role.
- Make a row for each account you want to associate with your environment and enter the requested information in each row, including selecting a tenant role.
The role defaults to Customer Administrator unless you select a different one. If you want to prevent the person from invoking actions in the console that result in anything more than viewing information, assign one of the read-only roles.
Role on the Person's Account Description Customer Administrator All actions in the console can be performed, including onboarding a pod or deleting items. Customer Assignment Administrator Actions related to the modification of end-user assignments and farms can be performed. Operations related to the management of assignments and farms can also be performed, such as VM configuration, power management, and configuration of remote applications. Customer Administrator Readonly Prevents the invocation of actions that would change the environment, such as onboarding a pod or changing a general setting. Customer Helpdesk Within the console's help-desk-related areas, all of the help-desk-related actions can be performed. Customer Helpdesk Readonly Within the console's help-desk-related areas of the console, can only view information. Prevents the invocation of actions that would change things within those console areas.
- Click Save to save the information to the system.
If all of the added VMware Customer Connect account IDs exist at vmware.com, they can be used to authenticate in the first Horizon Cloud login screen.
What to do next
If the added users' Active Directory accounts are in Active Directory groups which do not yet have an associated Horizon Cloud role, complete the steps described in Assign Roles to Active Directory Groups that Control Which Areas of the Horizon Universal Console are Activated for Individuals in Those Groups After They Authenticate to Your Horizon Cloud Tenant Environment. Follow the best-practice pairings described in Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment.