You can use the REST API identity service to create a vRealize Automation tenant and perform related functions. Perform the tasks required to create a tenant with the REST API in sequence. For information about creating and working with tenants and roles by using thevRealize Automation application user interface, see the Tenant Administration and IaaS Configuration documentation.


  • Log in to vRealize Automation as a system administrator and a tenant administrator.

  • Verify that there is access to a functional LDAP, Active Directory, or Native Active Directory identity server.

  • Verify that the identity server details required for the JSON template are available.

  • Verify that the host name and fully qualified domain name of the vRealize Automation instance are available.

  • If you are not using the API Explorer, verify that you have a valid HTTP bearer token that matches your login credentials. See REST API Authentication.


  1. Use the identity service to display all the available tenants.
    curl --insecure -H "Accept:text/xml" 
    -H "Authorization: Bearer $token" 
  2. Submit a request for a new tenant and either call a JSON file that contains tenant request parameters or specify those parameters using inline text. The first example uses a JSON file as input. The second example uses inline text as input.

    The first example calls the following sample newTenant.json file.

        "@type" : "Tenant",
        "id" : "development",
        "urlName" : "development",
        "name" : "DevelopmentTenant",
        "description" : "Tenant for all developers",
        "contactEmail" : "",
        "defaultTenant" : false



    Example 1

    Call the above newTenant.json file, which contains parameters for the tenant request.

    curl --insecure -H "Content-Type: application/json" 
    -H "Authorization: Bearer $token"
    https://$host/identity/api/tenants/development --data @C:\Temp\newTenant.json

    Example 2

    Specify the parameters for the tenant request by using inline text.

    curl --insecure -H "Accept: application/json" -H "Content-Type: application/json" 
    -H "Authorization: Bearer $token"
    --data '{"@type":"Tenant","id":"development","urlName":"development","name":
    "DevelopmentTenant","description":"Tenant for all developers","contactEmail":
  3. List all available identity stores for a named tenant, such as the default tenant vsphere.local by using variables, instead of the full token and host name.domain name.
    curl --insecure -H "Accept: application/json" -H 'Content-Type: application/json' 
    -H "Authorization: Bearer $token” https://$host/identity/api/tenants/MYCOMPANY/directories
  4. Link an LDAP, Active Directory, or Native Active Directory identity store to the tenant by using the identity service.

    Call the following sample ldap.json.txt input file from the command line to specify necessary parameters.

    	"alias": "",
    	"domain": "",
    	"groupBaseSearchDn": "ou=demo,dc=example,dc=mycompany,dc=com",
    	"name": "openLDAPDemo",
    	"password": "password",
    	"type": "LDAP",
    	"url": "ldap://",
    	"userBaseSearchDn": "ou=demo,dc=example,dc=mycompany,dc=com",
    	"userNameDn": "cn=demoadmin,ou=demo,dc=example,dc=mycompany,dc=com"

    Use the following command to call the example JSON text file and link an identity store to a tenant. The command also tests that vRealize Automation can connect to the identity store successfully. If the command finishes successfully, vRealize Automation succeeded in connecting to the identity store.

    curl --insecure -H "Content-Type: application/json" 
    -H "Authorization: Bearer $token” 
    --data @C:\Temp\ldap.json.txt
  5. Query the configured LDAP directory, Active Directory, or Native Active Directory for a specific user.
    curl --insecure -H "Accept:text/xml" 
    -H "Authorization: Bearer $token" 
  6. Assign a user to a role with the REST API identity service.

    Use the following command string to submit a request to assign the user tony in the domain to the tenant administrator role. It provides empty braces for the required JSON payload.

    curl --insecure -H "Content-Type: application/json" 
    -H "Authorization: Bearer $token"
    "https://$host/identity/api/authorization/tenants/development/principals/" --data "{}"
  7. Display all of the roles assigned to a user with the identity service.

    Use the following command to list all the roles that are assigned to

    curl --insecure -H "Content-Type: application/json" 
    -H "Authorization: Bearer $token" 

What to do next