Adding existing SAML or LDAP users to a TAS for VMs deployment

There are two ways to add existing SAML or LDAP users to a VMware Tanzu Application Service for VMs (TAS for VMs) deployment enabled with SAML or LDAP:

Option 1: Import Users in Bulk
Option 2: Add Users Manually

Prerequisites

To perform the procedures in this topic, you must have:

Admin access to the Tanzu Operations Manager Installation Dashboard for your TAS for VMs deployment
The Cloud Foundry Command Line Interface (cf CLI) v6.23.0 or later

Option 1: Import users in bulk

You can import SAML or LDAP users in bulk by using the CF-MGMT Tool. For instructions about installing and using the tool, see the CF-MGMT README.

Option 2: Add users manually

The following sections describe how to add existing SAML or LDAP users to your TAS for VMs deployment manually.

Step 1: Create user

To add a SAML or LDAP user:

Target the API endpoint for your TAS for VMs deployment by running:
```
cf target https://api.SYSTEM-DOMAIN
```
Where SYSTEM-DOMAIN is your system domain.
Run:
```
cf login
```
Provide credentials for an account with the Admin user role. For more information about the Admin user role, see Roles and Permissions in Orgs, Spaces, Roles, and Permissions.
Create the user in UAA by running:
```
cf create-user USERNAME --origin PROVIDER-NAME
```
Where:
- USERNAME is the username of the SAML or LDAP user you want to add.
- PROVIDER-NAME is ldap for an LDAP user, or the name of the SAML provider you entered when you configured Tanzu Operations Manager for a SAML user.

Step 2: Associate user with org or space role

After creating the SAML or LDAP user, you must associate the user with either an Org or Space role.

For more information about roles, see Roles and Permissions in Orgs, Spaces, Roles, and Permissions.

Associate user with org role

To associate the SAML or LDAP user with an Org role:

Run:
```
cf set-org-role USERNAME ORG ROLE
```
Where:
- USERNAME is the name of the SAML or LDAP user.
- ORG is the name of your org.
- For ROLE, enter one of the following:
  - OrgManager: Org Managers can invite and manage users, select and change plans, and set spending limits.
  - BillingManager: Billing Managers can create and manage the billing account and payment information.
  - OrgAuditor: Org Auditors have read-only access to Org information and reports.
For example:
```
cf set-org-role [email protected] example-org OrgManager
```

Associate user with space role

To associate the SAML or LDAP user with a space role:

Run:
```
cf set-space-role USERNAME ORG SPACE ROLE
```
Where:
- USERNAME is the name of the SAML or LDAP user.
- ORG is the name of your org.
- SPACE is the name of a space in your org.
- For ROLE, enter one of the following:
  - SpaceManager: Space Managers can invite and manage users, and enable features for a given Space.
  - SpaceDeveloper: Space Developers can create and manage apps and services, and see logs and reports.
  - SpaceAuditor: Space Auditors can view logs, reports, and settings on this Space.
For example:
```
cf set-space-role [email protected] example-org example-space SpaceDeveloper
```