This documentation topic describes the best practices for the two types of roles you must give to people when you want them to log in to the Horizon Universal Console and work in your Horizon Cloud environment. One type of role is used to enable or deactivate different parts of the Horizon Universal Console user interface itself. The other type of role is used to determine what actions can be invoked by people who have that assigned role. You must ensure the final combination of the two roles that you give to a specific individual reflects the outcome you want for that particular individual.

Important: Because one type of role governs what the user can see in the console and the other type of role governs the invocation of actions, you must ensure that the overall combination of the two roles that a specific individual has reflects the outcomes you want for that particular individual. The best-practice combinations are described in the following sections. If you do not follow those best practices, contradictions might occur. For example, if the assigned roles do not match according to the guidance described here, an individual might log in to the console and not be able to perform the actions that you want them to perform — or the individual might log in and be able to perform actions that you do not want them to do. Therefore, it is important that you ensure that you align the individual's role in the General Settings page's My VMware Accounts area with the role assigned to that individual's Active Directory group in the Roles & Permissions page.

The following sections describe the two types of roles and the best-practice combinations to use based on the standard scenarios in typical organizations.

Attention: As described in Tour of the Cloud-Based Horizon Universal Console, the console is dynamic and reflects features that are appropriate for the up-to-the-minute configuration of your tenant environment. Access to features described in this documentation can depend on factors including, and not limited to:
  • Whether the feature depends on system code available only in the latest Horizon Cloud pod manifest, Horizon pod version, or Horizon Cloud Connector version.
  • Whether access to the feature is in Limited Availability, as stated in the Release Notes at the feature's debut.
  • Whether the feature requires specific licensing or SKUs.

When you see mention of a feature in this documentation and you do not see that feature in the console, first check the Release Notes to see if the feature's access is limited and the way you can request enablement in your tenant. Alternatively, when you believe you are entitled to use a feature that is described in this documentation and you do not see it in the console, you can ask your VMware Horizon Cloud Service representative or, if you do not have a representative, you can file a service request (SR) to the Horizon Cloud Service team as described in How to file a Support Request in Customer Connect (VMware KB 2006985).

Roles that Enable or Deactivate Different Parts of the Console's User Interface for People in the Active Directory Group that Has that Assigned Role

These roles are predefined in the system, and relate to your Active Directory groups. When an individual authenticates to your Horizon Cloud environment, the console detects in which Active Directory (AD) group that individual's account is located. The console also identifies which of these roles is assigned to that AD group on the console's Roles & Permissions page. Then, as the person navigates through the console's user-interface pages, tabs, and windows, those items display as enabled or deactivated according to the person's AD group's assigned role.

Important: This point that these roles can be assigned to only groups and not to individual AD user accounts also means that you must avoid assigning two of these roles to the same AD domain group. If you give two of these roles to the same AD group and an individual from that group logs in, when the console identifies that both roles are assigned to that person's group, as they navigate through the user-interface pages, they might see deactivated items as one of the two roles prevents their access to those items.

You apply each of these roles at the level of an AD group. Because they are applied at the group rather than individual level, all individuals in the same AD group receive the role that you assign to that Active Directory group using the console's Roles & Permissions page. You control which individuals are in your AD groups in your AD environment. Therefore, when you move individuals in your AD environment from one AD group to another, you must ensure that they are moved to a group that has one of the roles that continues to align with their other assigned role —the one is assigned to their My VMware account. When you move an individual from one AD group to another, you must verify whether the other type of role, the one that is assigned to that individual's My VMware account, might need to be adjusted to stay aligned with the role from this role type that is assigned to the individual's new AD group.

An example of one of these roles is the Help Desk Read Only Administrator role. When an AD group is assigned that role on the Roles & Permissions page, the console enables individuals in that group to navigate to the user cards for end users and view the information, but not perform operations on the desktops.

Roles that Determine Which Actions Can Be Invoked by People Who Have that Role Assigned to Their My VMware Account

Like the other role type, these roles are predefined in the system. These roles relate to the My VMware accounts that are configured in the General Settings page's My VMware Accounts area. When an individual authenticates to your Horizon Cloud environment, the console detects which role is assigned to the My VMware account that was used to authenticate the logged-in session. Then, when the person tries to invoke an action in the console, the system either allows the API call to go through or prevents the API call, depending on this role that is assigned to the logged-in person's My VMware account in the General Settings page.

As a result, after the initial authentication to the console, this assigned role often works in tandem with the other type of assigned role:

  1. The person navigates through the console's user-interface pages, tabs, and windows, and sees user-interface elements displayed as enabled or deactivated according to the person's AD group's assigned role.
  2. When that person clicks a button that would invoke an API call to perform an action, if the role assigned to their My VMware account does not allow that action to be performed, the API call will not go through and the action will not complete.
Important: Given that in the console, this role works in tandem with the role assigned to a person's AD group — the latter determining which console elements are active and the former determining which actions are allowed to complete when an element is clicked — you must ensure that the overall combination of the two roles that a specific individual has reflects the outcomes you want for that particular individual. Otherwise, contradictory results can occur. When you move an individual from one AD group to another, confirm that the role on their My VMware account is aligned with the role on their new AD group and adjust it as needed. The standard best-practice combinations are described in the following sections.

The Five Standard Best-Practice Role Combinations

Because contradictory behavior can occur when a person's two role are not aligned according to the table below, it is recommended that you align the roles granted to your organization's individuals according to the following table. The system does not prevent you from assigning a role to an AD group that is more permissive than the role assigned to the My VMware accounts of individuals in that group. If an individual belongs to multiple AD groups, ensure that the roles assigned to those groups on the Roles & Permissions page are also aligned with each other and with the role on the individual's My VMware account.

Role on the Person's My VMware Account in the General Settings page Role on the Person's Active Directory Group in the Roles and Permissions page Description
Customer Administrator Super Administrator Full access to view all areas of the console and perform all actions in the console.
Customer Assignment Administrator Assignment Administrator Ability to view all areas of the console and perform actions related to the modification and management of end-user assignments and farms.
Customer Administrator Readonly Demo Administrator Ability to view all areas of the console, view settings and select options to see additional choices, and without the ability to invoke actions that change the environment, such as deleting items. An example of using this combination is to allow people in your organization to log in and demonstrate the capabilities of the system to others, while avoiding changes being made to the system.
Customer Helpdesk Help Desk Administrator Access to view the help-desk-related areas of the console and perform all help-desk-related actions that the console provides. The purpose of this combination is for people to work with the user card features to see the status of end user sessions and perform troubleshooting operations on the sessions.
Customer Helpdesk Readonly Help Desk Read Only Administrator Access to view the help-desk-related areas of the console and see the status of end user sessions in the user card, while preventing the ability to invoke the help-desk-related actions.

When You Want to Restrict a Person to have Read-Only, Viewing Access to the Console for All of the Console's Areas

If you want an individual to be able to browse all of the console's user-interface pages and open dialogs and view reports, and also restrict them from invoking actions that change things in your tenant environment, you must ensure that both of the following conditions are met:

  • In the General Settings page's My VMware Accounts area, assign the Customer Administrator Read-Only role to their My VMware account. If that individual's account lists a different role there, you can remove their row from the My VMware Accounts section and add it back, this time specifying Customer Administrator Read-Only role.
  • In the Roles & Permissions page, assign the Demo Administrator role to that individual's Active Directory group.

When both of those conditions are met, the individual will be able to log in to the console, navigate to all of the console's pages, browse the pages, open dialogs and view reports, and also be restricted from invoking actions that change things in the environment.

Note: Because the Roles & Permissions page works at the AD group level, and not at an individual account level, you must ensure the AD group has the appropriate individual accounts in it, according to your organizational requirements.

When You Want to Restrict a Person to have Access to the Help Desk Features of the Console and Also Have the Ability to Perform Actions in the User Card

If you want an individual to be able to log into the console and be restricted to access only the help-desk-related features, and not all of the areas of the console, while also allowing them to perform the help-desk-related actions, you must ensure that both of the following conditions are met:

  • In the General Settings page's My VMware Accounts area, assign the Customer Helpdesk role to their My VMware account. If that individual's account lists a different role there, you can remove their row from the My VMware Accounts section and add it back, this time specifying Customer Helpdesk role.
  • In the Roles & Permissions page, assign the Help Desk Administrator role to that individual's Active Directory group.

When both of those conditions are met, the individual will be able to log in to the console, see help-desk-related features, and perform the help-desk-related actions.

Note: Because the Roles & Permissions page works at the AD group level, and not at an individual account level, you must ensure the AD group has the appropriate individual accounts in it, according to your organizational requirements.

When You Want to Restrict a Person to have Read-Only Access for the Help Desk Features of the Console

If you want an individual to be able to log into the console and be restricted to access only the help-desk-related features on a read-only basis and restricted from performing any help-desk-related actions, you must ensure that both of the following conditions are met:

  • In the General Settings page's My VMware Accounts area, assign the Customer Helpdesk Read-Only role to their My VMware account. If that individual's account lists a different role there, you can remove their row from the My VMware Accounts section and add it back, this time specifying Customer Helpdesk Read-Only role.
  • In the Roles & Permissions page, assign the Help Desk Read Only Administrator role to that individual's Active Directory group.

When both of those conditions are met, the individual will be able to log in to the console and use the help-desk-related features on a read-only basis.

Note: Because the Roles & Permissions page works at the AD group level, and not at an individual account level, you must ensure the AD group has the appropriate individual accounts in it, according to your organizational requirements.

When You Want to Restrict a Person to Have Access to the Assignment and Farm-related Features of the Console

If you want an individual to have access to the console to perform operations related to the management of end-user assignments and farms, and read-only access to all other areas of the console, ensure that both of the following conditions are met:

  • In the General Settings page's My VMware Accounts area, assign the Customer Assignment Administrator role to their My VMware account. If that individual's account lists a different role there, you can remove their row from the My VMware Accounts section and add it back, this time specifying Customer Assignment Administrator role.
  • In the Roles & Permissions page, assign the Assignment Administrator role to that individual's Active Directory group.

When both of those conditions are met, the individual will be able to log in to the console, navigate to and view all of the console's pages, and invoke actions that create, modify, or delete end-user assignments and farms. The individual will also be able to perform operations related to the management of assignments and farms, such as VM configuration, power management, and configuration of remote applications.

Note: Because the Roles & Permissions page works at the AD group level, and not at an individual account level, you must ensure the AD group has the appropriate individual accounts in it, according to your organizational requirements.

When You Want a Person to Have Full Access to the Console, for All of the Console's Areas and Actions

If you want an individual to have full access to the console to view all of its areas and invoke actions that change things in your tenant environment, ensure that both of the following conditions are met:

  • In the General Settings page's My VMware Accounts area, assign the Customer Administrator role to their My VMware account. If that individual's account lists a different role there, you can remove their row from the My VMware Accounts section and add it back, this time specifying Customer Administrator role.
  • In the Roles & Permissions page, assign the Super Administrator role to that individual's Active Directory group.

When both of those conditions are met, the individual will be able to log in to the console, navigate to all of the console's pages and invoke actions that change things in the environment.

Note: Because the Roles & Permissions page works at the AD group level, and not at an individual account level, you must ensure the AD group has the appropriate individual accounts in it, according to your organizational requirements.