To grant user and service accounts the access that is required to perform their tasks, create Active Directory groups whose scope reflects the permissions to perform these tasks.

Create Active Directory Groups according to the following rules:

  1. Add user and service accounts to universal groups in the parent domain.  

  2. Add the universal groups to global groups in each child domain.

  3. Assign access rights and permissions to the local groups in the child domains according to their role.

Universal Groups in the Parent Domain

In the rainpole.local domain, create the following universal groups:

Table 1. Universal Groups in the rainpole.local Parent Domain

Group Name

Group Scope

Description

ug-SDDC-Admins

Universal

Administrative group for the SDDC

ug-SDDC-Ops

Universal

SDDC operators group

ug-ITAC-TenantAdmins

Universal

Tenant administrators group

ug-ITAC-TenantArchitects

Universal

Tenant blueprint architects group

ug-vCenterAdmins

Universal

Group with accounts that are assigned vCenter Server administrator privileges.

ug-vROAdmins

Universal

Groups with vRealize Orchestrator Administrator privileges

Global Groups in the Child Domain

In the sfo01.rainpole.local child domain, add the role-specific universal group from the parent domain to the relevant role-specific global group in the child domain.

Table 2. Global Groups in the sfo01.rainpole.local Child Domain

Group Name

Group Scope

Description

Member of Groups

SDDC-Admins

Global

Administrative group for the SDDC

RAINPOLE\ug-SDDC-Admins

SDDC-Ops

Global

SDDC operators group

RAINPOLE\ug-SDDC-Ops

ITAC-TenantAdmins

Global

Tenant administrators group

RAINPOLE\ug-ITAC-TenantAdmins

ITAC-TenantArchitects

Global

Tenant blueprint architects group

RAINPOLE\ug-ITAC-TenantArchitects

vCenterAdmins

Global

Accounts that are assigned vCenter Server administrator privileges

RAINPOLE\ug-vCenterAdmins