To use delegated administration, you must create a user group that has permission to register and update vCenter Server extensions.

If you have been using vRealize Orchestrator, and have already created users and groups that have permission to register and update vCenter Server extensions, you might not have to perform all the steps described in this topic. For example, if you already have such a group, but the user that manages desktop and application pools is not in the group, you can add that user to the group.

Prerequisites

Verify that you have credentials for logging in to vSphere Web Client as a user that has vCenter Single Sign-On administrator privileges.

Procedure

  1. Log in to vSphere Web Client as [email protected], or as another user that has vCenter Single Sign-On administrator privileges.
  2. Create a Delegated Administrators group.
    1. Browse to Administration > Single Sign-On > Users and Groups.
    2. Select the Groups tab and click the New Group icon.
    3. Supply a name, such as Delegated Admins, and click OK.
      The new group appears in the list.
  3. Select the group that you created and use the Group Members section of the tab to add a delegated administrator user to this group.
    This user must be a member of the domain that includes the Connection Server instance.
  4. Create a role that has permission to read vCenter Server extensions.
    1. Browse to Administration > Roles.
    2. On the Roles tab, click the Create role action icon.
    3. Supply a name for the role and select the Extensions check box.
      If you expand the Extensions item, the Register extension, Unregister extension, and Update extension check boxes are also selected.
    4. Click OK.
      The new role appears in the list.
  5. Add the new role to the group that you created.
    1. Go to the vCenter Home page and browse to vCenter > Inventory Lists > vCenters.
    2. Select the appropriate vCenter Server instance in the left pane, and click the Manage tab.
    3. On the Manage tab, click Permissions and click the Add permission icon.
    4. In the Users and Groups pane, click Add and add the group you just created.
      To find the group, select the correct domain.
      The group appears in the list of users and groups in the Add Permission dialog box.
    5. In the Assigned Role pane, click the drop-down arrow and select the role you just created.
      In the list of permissions for this role, a check mark appears next to Extensions.
    6. Click OK.
      The group appears on the Permissions tab with the role that you assigned.

What to do next

Provide the Delegated Administrators group access to the vRealize Orchestrator Plug-in for Horizon workflows. See Provide Access Rights to the vRealize Orchestrator Plug-in for Horizon Workflows.