One key management task in a VMware Horizon environment is to determine who can use Horizon Console and what tasks those users are authorized to perform. With role-based delegated administration, you can selectively assign administrative rights by assigning administrator roles to specific Active Directory users and groups.
Understanding Roles and Privileges The ability to perform tasks in Horizon Console is governed by an access control system that consists of administrator roles and privileges. This system is similar to the vCenter Server access control system.
Using Access Groups to Delegate Administration of Pools and Farms in Horizon Console By default, automated desktop pools, manual desktop pools, and farms are created in the root access group, which appears as / or Root(/) in Horizon Console . Published desktop pools and application pools inherit their farm's access group. You can create access groups under the root access group to delegate the administration of specific pools or farms to different administrators.
Understanding Permissions and Access Groups Horizon Console presents the combination of a role, an administrator user or group, and an access group as a permission. The role defines the actions that can be performed, the user or group indicates who can perform the action, and the access group contains the objects that are the target of the action.
Manage Administrators Users who have the Manage Roles and Permissions privilege can use Horizon Console to add and remove administrator users and groups.
Manage and Review Permissions You can use Horizon Console to add, delete, and review permissions for specific administrator users and groups, roles, and access groups.
Manage and Review Access Groups You can use Horizon Console to add and delete access groups and to review the desktop pools and machines in a particular access group.
Manage Custom Roles You can use Horizon Console to add, modify, and delete custom roles.
Predefined Roles and Privileges Horizon Console includes predefined roles that you can assign to your administrator users and groups. You can also create your own administrator roles by combining selected privileges.
Minimum vCenter Server Privileges for Managing Full Clones and Instant Clones An administrator must have certain vCenter Server privileges to manage full clones and instant clones.
Required Privileges for Common Tasks Many common administration tasks require a coordinated set of privileges. Some operations require permission at the root access group, or at the federation root access group in a Cloud Pod Architecture environment, in addition to access to the object that is being manipulated.
Best Practices for Administrator Users and Groups To increase the security and manageability of your VMware Horizon environment, you should follow best practices when managing administrator users and groups.