Only Enterprise Superusers can create new Admin users. The SSH username is automatically created for the user. To add a new user, perform the following steps:
Note: These steps are valid for all customers, though customers created in a 5.2.0 Orchestrator where they are not assigned to a Partner, have certain limitations. These limitations are outlined in an important note at the end of the article.
Procedure
- In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
- Select Global Settings service.
- From the left menu, click User Management. The Users tab is displayed by default.
- Click New User.
- Enter the following details for the new user:
Note: The Next button is activated only when you enter all the mandatory details in each section.
Option Description General information Authentication Select an authentication mode: - Local: This is the Native authentication mode, which is the default option.
- Remote: This is the Non-Native authentication mode, which is a Single Sign On (SSO) authentication service that allows you to login to SASE Orchestrator using one set of login credentials to access multiple applications.
Username Enter a username in the format of an email address. Contact Email The email address is auto-populated. You can edit it if required. Password Enter a unique password. Note: Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page.Confirm Password Re-enter the password. First Name Enter the first name of the user. This field is optional. Last Name Enter the last name of the user. This field is optional. Phone Enter the phone number of the user. This field is optional. Mobile Phone Enter the mobile number of the user. This field is optional. Role Select a role that you want to assign to the user. For information on roles, see Roles. Edge Access Choose one of the following options: - Basic: Allows you to perform certain basic debug operations such as ping, tcpdump, PCAP, remote diagnostics, and so on.
- Privileged: Grants you the root-level access to perform all basic debug operations along with Edge actions such as restart, deactivate, reboot, hard reset, and shutdown. In addition, you can access Linux shell.
Note: To configure this option, you must have a role that allows access to the SD-WAN service. - Select the Add another user check box if you wish to create another user, and then click Add User.
The new user appears in the User Management > Users page. Click the link to the user to view or modify the details. As an Enterprise Administrator, you can manage the Roles, Service Permissions, and API Tokens for the Enterprise users.Note: Enterprise Administrator should manually delete inactive Identity Provider (IdP) users from the Orchestrator to prevent unauthorized access via API Token. For more information, see API Tokens.Important: Customers created on a Release 5.2.0 Orchestrator who are not assigned to a Partner are automatically configured for Single Sign On (SSO) using VMware Cloud Services Platform (CSP) as the Identity Provider (IdP). As a result:
- New administrators are created by an administrator with a Superuser role through the CSP portal.
- The customer is permitted one administrator account with Local authentication (username/password) to allow them to access their portal in the event there is an issue with CSP authentication.
For more information about using CSP as an IdP in VMware SD-WAN, see: Configure VMware CSP for Single Sign On.
For more information about adding new users on the Cloud Services Platform, see: Using VMware Cloud Services Console - Identity and Access Management.