Give Administrative Roles to Individuals in Your Organization for Logging In To and Performing Actions in Your Horizon Cloud Tenant Environment Using the Horizon Universal Console

In the process of authenticating to the cloud-based administrative console, the first login screen requires an existing VMware Customer Connect account that is associated with your specific tenant. To grant other users in your company or organization the ability to log in to that first login screen, their individual VMware Customer Connect accounts must get associated with this same tenant, and with an appropriate role. The role assigned to an individual's account should align with the types of actions that you want to permit that individual to perform in the tenant using the console.

Note: Another way that a person can be added as an administrator to the tenant is to file a non-technical support request in Customer Connect Support using the steps in KB article 2006985. To be added this way, the domain in the person's account must match the domain in the initial purchase or trial order that created the tenant.

The role that you assign using the steps here is one of the two types of roles that the console uses to determine both what a person's authenticated session allows that person to view in the console and what actions they can perform on what they can see in the console. The role assigned to the VMware Customer Connect account determines the following items:

Whether an individual has the ability to authenticate to the console using the console's login screen.
Whether the person can view all of the console's areas or a subset of the areas, such as the the help-desk-related areas.
The specific actions the person is able to invoke in the console, within the areas they can view.

Important: Because this role described here governs what the actions can be performed in the authenticated session while the other, Active Directory domain-related, role governs which areas of the console are visible in the session, you must ensure that the overall combination of the two roles continues to reflect the outcomes you want for a particular individual, even as the individual moves to different job positions and Active Directory groups within your organization. For details of the two types of roles and the best-practice pairings of the role assignments, see Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment.

In addition to the role associated with a VMware Customer Connect account, when Active Directory domains are registered with your Horizon Cloud tenant, the role that is assigned to a person's Active Directory group grants their user account with access that works in tandem with the role associated with their VMware Customer Connect account. The role assigned to the Active Directory group to which the user account belongs controls which of the console's elements are accessible to that person after they log in using their Active Directory account credentials at the console's second login screen. For a list of those roles, see Assign Roles to Active Directory Groups that Control Which Areas of the Horizon Universal Console are Activated for Individuals in Those Groups After They Authenticate to Your Horizon Cloud Tenant Environment.

Important: Even though you can perform these steps before the VMware Customer Connect accounts are created at vmware.com, the accounts must be created at vmware.com before they can be used to log in to the console. VMware Customer Connect accounts are created using the registration process at https://customerconnect.vmware.com/account-registration.

You perform these steps using the Horizon Universal Console at https://cloud.horizon.vmware.com. In that console, you associate VMware Customer Connect accounts with your tenant. The location you use the console depends on whether your tenant has zero cloud-connected pods or already has at least one pod. When the tenant has zero cloud-connected pods yet, you must perform these steps using the Getting Started page. Until you have at least one cloud-connected pod, the console prevents access to its pages other than the Getting Started one.

Attention: As described in Tour of the Cloud-Based Horizon Universal Console, the console is dynamic and reflects features that are appropriate for the up-to-the-minute configuration of your tenant environment. Access to features described in this documentation can depend on factors including, and not limited to:

Whether the feature depends on system code available only in the latest Horizon Cloud pod manifest, Horizon pod version, or Horizon Cloud Connector version.
Whether access to the feature is in Limited Availability, as stated in the Release Notes at the feature's debut.
Whether the feature requires specific licensing or SKUs.

When you see mention of a feature in this documentation and you do not see that feature in the console, first check the Release Notes to see if the feature's access is limited and the way you can request enablement in your tenant. Alternatively, when you believe you are entitled to use a feature that is described in this documentation and you do not see it in the console, you can ask your VMware Horizon Cloud Service representative or, if you do not have a representative, you can file a service request (SR) to the Horizon Cloud Service team as described in How to file a Support Request in Customer Connect (VMware KB 2006985).

Procedure

Log in to the Horizon Universal Console at https://cloud.horizon.vmware.com.
In the console, depending on whether you have zero cloud-connected pods or one or more cloud-connected pods, use one of these methods to associate VMware Customer Connect accounts with your environment.

Tip: The name My VMware was the former name of VMware Customer Connect. Both names are used interchangeably in the console.

Zero cloud-connected pods

Until your tenant has at least one pod in your pod fleet, the console prevents access to its pages other than Getting Started. On that page, click General Setup > My VMware Accounts > Add.

One or more pods

When your tenant has at least one cloud-connected pod, you have access to the console's General Settings page in addition to the Getting Started page. You can either use the Getting Started page's My VMware Accounts area or click Settings > General Settings > Edit and scroll to the My VMware Accounts area.

The list of VMware Customer Connect accounts already associated with your environment is displayed.
Add a row to the list by clicking the plus icon () that is visible by the list's bottom entry.
A new row appears with fields for entering a first name, last name, the VMware Customer Connect account ID, and selecting a tenant role.

Make a row for each account you want to associate with your environment and enter the requested information in each row, including selecting a tenant role.

The role defaults to Customer Administrator unless you select a different one. If you want to prevent the person from invoking actions in the console that result in anything more than viewing information, assign one of the read-only roles.


Role on the Person's Account	Description
Customer Administrator	All actions in the console can be performed, including onboarding a pod or deleting items.
Customer Assignment Administrator	Actions related to the modification of end-user assignments and farms can be performed. Operations related to the management of assignments and farms can also be performed, such as VM configuration, power management, and configuration of remote applications.
Customer Administrator Readonly	Prevents the invocation of actions that would change the environment, such as onboarding a pod or changing a general setting.
Customer Helpdesk	Within the console's help-desk-related areas, all of the help-desk-related actions can be performed.
Customer Helpdesk Readonly	Within the console's help-desk-related areas of the console, can only view information. Prevents the invocation of actions that would change things within those console areas.

Click Save to save the information to the system.

Results

If all of the added VMware Customer Connect account IDs exist at vmware.com, they can be used to authenticate in the first Horizon Cloud login screen.

Important: The steps you just completed do not create the actual VMware Customer Connect accounts. Such accounts are created using the registration process at https://customerconnect.vmware.com/account-registration.

What to do next

If the added users' Active Directory accounts are in Active Directory groups which do not yet have an associated Horizon Cloud role, complete the steps described in Assign Roles to Active Directory Groups that Control Which Areas of the Horizon Universal Console are Activated for Individuals in Those Groups After They Authenticate to Your Horizon Cloud Tenant Environment. Follow the best-practice pairings described in Best Practices about the Two Types of Roles You Give to People to Use the Horizon Universal Console to Work in Your Horizon Cloud Environment.