Manage the users in your organization with user groups.
For a manageable security posture, VMware Tanzu Mission Control allows you to combine the members of your organization into logical user groups and secure those groups with access policies. This section addresses user groups; see Access Control for more information about implementing access policies that include those user groups.
As a service provided through VMware Cloud Services, the top-level group of users in Tanzu Mission Control is the organization, which is a construct of the VMware Cloud Services platform. Access to services is provided through the organization and individuals are included as members of the organization.
Managing Users and Groups
You use VMware Cloud Services tools to invite users to your organization and organize them into user groups. By combining your users into groups, you can simplify access control by creating access policies that bind roles to groups rather than individuals. For more information about creating user groups in VMware Cloud Services, see Working with Groups in the Using VMware Cloud documentation.
You can also set up federation with your corporate domain that allows you to use your organization's single sign-on and identity source. For more information about federating identity management, see Setting Up Federated Identity Management in the Using VMware Cloud documentation.
Best Practice for Creating Groups
- Add users and then combine them into groups.
- Create groups and then add users to them.
As a best practice, add users through the group to which they initially belong. Use the Groups tab under Identity and Access Management in the VMware Cloud Services console, rather than the Active Users tab. In this way, the new user is added to a group to which you have already assigned roles through an access policy. If you use the Active Users tab, the new user is added to the organization and service, but because they are not yet added to a group, they will likely have only minimal access to the service until you take the additional step of adding them to a group.
About Roles in VMware Cloud Services
For services in the VMware Cloud Services platform, the organization provides two roles, owner and member. While these roles provide a base set of permissions for each individual, they do not have an impact on the groups to which an individual can belong, or the service-level roles to which an individual or group can be bound.
For more context around these roles, see Access Control.