A right is the fundamental unit of access control in VMware Cloud Director. A role associates a role name with a set of rights. Each organization can have different rights and roles.
Roles
VMware Cloud Director uses roles and their associated rights to determine whether a user or group is authorized to perform an operation. Most of the procedures documented in the VMware Cloud Director guides include a prerequisite role. These prerequisites assume that the named role is the unmodified predefined role or a role that includes an equivalent set of rights.
System administrators can use rights bundles and global tenant roles to manage the rights and roles that are available to each organization.
Predefined Provider Roles:
System Administrator: The System Administrator role exists only in the provider organization. This role includes all rights in the system. A System Administrator can create additional system administrator and user accounts in the provider organization.
Multisite System: Used for running the heartbeat process for multisite deployments. This role has only a single right, Multisite: System Operations, which gives the permission to make a VMware Cloud Director OpenAPI request that retrieves the status of the remote member of a site association.
Predefined Global Tenant Roles:
Organization Administrator: After creating an organization, a System Administrator can assign the role of Organization Administrator to any user in the organization. A user with the predefined Organization Administrator role can manage users and groups in their organization and assign them roles, including the predefined Organization Administrator role. Roles created or modified by an Organization Administrator are not visible to other organizations.
Catalog Author: The predefined Catalog Author role allows a user to create and publish catalogs.
vApp Author: The predefined vApp Author role allows a user to use catalogs and create vApps.
vApp User: The predefined vApp User role allows a user to use existing vApps.
Console Access Only: The predefined Console Access Only role allows a user to view VM state and properties and to use the guest OS.
Defer to Identity Provider: The rights associated with the predefined Defer to Identity Provider role are determined based on the information received from the user's OAuth or SAML Identity Provider. When a user or group is assigned the Defer to Identity Provider role, the user or group name provided by the Identity Provider must exactly match the role or group name defined in your organization. Otherwise, the user or group is not qualified for inclusion.
If an OAuth Identity Provider defines a user, the user is assigned the roles named in the roles array of the user's OAuth token.
If a SAML Identity Provider defines a user, the user is assigned the roles named in the SAML attribute. The SAML attribute name appears in the RoleAttributeName element, which is in the SamlAttributeMapping element in the organization's OrgFederationSettings.
If a user is assigned the Defer to Identity Provider role but no matching role or group name is available in your organization, the user can log in to the organization but has no rights. If an Identity Provider associates a user with a system-level role such as System Administrator, the user can log in to the organization but has no rights. You must manually assign a role to such users.
Except the Defer to Identity Provider role, each predefined role includes a set of default rights. Only a System Administrator can modify the rights in a predefined role. If a System administrator modifies a predefined role, the modifications propagate to all instances of the role in the system.
Authentication
You can integrate VMware Cloud Director with an external identity provider and import users and groups to your organizations. You can configure an LDAP server connection at a system or organization level. You can configure a SAML integration at an organization level.
You can configure an organization to use the system LDAP connection as a shared source of users and groups, or an organization can use a separate LDAP connection as a private source of users and groups.
If you want to import users and groups from a SAML identity provider to your system organization, you must configure your system organization with this SAML identity provider. Imported users can log in to the system organization with the credentials established in the SAML identity provider.
To configure VMware Cloud Director with a SAML identity provider, you establish a mutual trust by exchanging SAML service provider and identity provider metadata.
Design Recommendation |
Design Justification |
Design Implication |
---|---|---|
Use the default VMware Cloud Director Roles, unless necessary. |
Simplifies the user rights management and configuration. |
Custom roles might be required for some cases where the built-in roles do not work. |
Configured a system LDAP connection. |
|
Requires manual user import and role assignment. |
Use the System LDAP connection for Organizations. |
Allows for centralized account management by leveraging the existing LDAP infrastructure. Provides a high level of security as local accounts, that can be left when a user leaves, do not need to be created. |
Requires manual user import and role assignment. |