VMware Cloud Director uses roles and associated rights to determine whether a user or group is authorized to perform an operation. Most of the procedures documented in the VMware Cloud Director guides include a predefined role. This predefined role includes a specific set of rights.

System administrators can use rights bundles and global tenant roles to manage the rights and roles in each organization.

Predefined Provider Roles:

  • System Administrator: Exists only in the provider organization. It includes all rights in the system. A System Administrator can create additional system administrators and user accounts in the provider organization.

  • Multisite System: Runs the heartbeat process for multisite deployments. It includes only one right 'Multisite: System Operations' to make a Cloud Director OpenAPI request. This request retrieves the status of the remote member of a site association.

Predefined Global Tenant Roles:

  • Organization Administrator: Manages users and groups in organizations and assign them roles, including the predefined Organization Administrator role. Roles created or modified by an Organization Administrator are not visible to other organizations.

    Note:

    After creating an organization, a System Administrator can assign the role of Organization Administrator to any user in the organization.

  • Catalog Author: Creates and publishes catalogs

  • vApp Author: Uses catalogs and creates vApps

  • vApp User: Uses existing vApps

  • Console Access Only: Views VM state and properties and uses the guest OS

  • Defer to Identity Provider:

    • The rights associated with this role are determined based on the information received from the user's OAuth or SAML Identity Provider.

      • If an OAuth Identity Provider defines a user, the user is assigned the roles named in the roles array of the user's OAuth token.

      • If a SAML Identity Provider defines a user, the user is assigned the roles named in the SAML attribute. The SAML attribute name appears in the RoleAttributeName element, which is in the SamlAttributeMapping element in the organization's OrgFederationSettings.

    • When assigning this role to a user or group, the user or group name provided by the Identity Provider must match the role or group name defined in your organization. Otherwise, the user or group is not qualified for inclusion.

      • If a user is assigned the Defer to Identity Provider role but no matching role or group name is available in your organization, the user can log in to the organization but has no rights.

      • If an Identity Provider associates a user with a system-level role such as System Administrator, the user can log in to the organization but has no rights. You must manually assign a role to such users.

Note:

Except the Defer to Identity Provider role, each predefined role includes a set of default rights. Only a System Administrator can modify the rights in a predefined role. If a System administrator modifies a predefined role, the modifications propagate to all instances of the role in the system.

Cloud Director Authentication

You can integrate VMware Cloud Director with an external identity provider and import users and groups to your organizations. You can configure an LDAP server connection at a system or organization level and a SAML integration at an organization level.

  • LDAP: An organization can use the system LDAP connection as a shared source of users and groups or a separate LDAP connection as a private source of users and groups.

  • SAML: If you want to import users and groups from a SAML identity provider to your system organization, configure the system organization with the SAML identity provider. Imported users can log in to the system organization with the credentials established in the SAML identity provider.

    To configure VMware Cloud Director with a SAML identity provider, you must establish a mutual trust by exchanging SAML service provider and identity provider metadata.

Table 1. Recommended Roles and Authentication Design for VMware Cloud Director

Design Recommendation

Design Justification

Design Implication

Use the default VMware Cloud Director roles, unless necessary.

Simplifies the user rights management and configuration.

Custom roles might be required for some cases where the built-in roles do not work.

Configure a system LDAP connection.

  • Enables centralized account management by leveraging the existing LDAP infrastructure.

  • Provides high security, as you do not need to create local accounts that can be left unused.

Requires manual user import and role assignment

Use the System LDAP connection for Organizations.

Enables centralized account management by leveraging the existing LDAP infrastructure.

Provides a high level of security as local accounts, which can be left when a user leaves, do not need to be created.

Requires manual user import and role assignment