As a vRealize Automation organization owner or service administrator, you manage user access using the organization and service system roles. However, you also want to create custom roles to that selected users and perform tasks or see content that is outside of their system roles.

This scenario assumes that you understand the service user and viewer, and the project member and viewer roles that are defined in use case 2. You can see that they are more restrictive than the service and project administrator roles used in use case 1. Now you have identified some local use cases where you want some users to have full management permissions to on some features, view permissions on others, and you do not want them to even view yet another set of features. You use custom roles define those permission.

This use case is based on three possible local use cases. This procedure shows you how to create permissions for the following custom roles.
  • Restricted Infrastructure Administrator. You want some service users, who are not service administrators, to have broader infrastructure permissions. As the administrator, you want them to help set up cloud zones, images, and flavors. You also want them to be able on on-board and manage discovered resources. Notice they cannot add cloud accounts or integrations, they can only define the infrastructure for those endpoints.
  • Extensibility Developer. You want some service users to have full permissions to use the extensibility actions and subscriptions as part of cloud template development for their project team and for other projects. They will also develop custom resource types and custom actions for multiple projects.
  • XaaS Developer. You want some service users to have full permissions to develop custom resource types and custom actions for multiple projects.
  • Deployment Troubleshooter. You want your project administrators to have permissions they need to troubleshoot and perform root cause analysis on failed deployments. You give them manage permissions on non-destructive or less expensive categories such as image and flavor mappings. You also want the project administrators to have permission to set approvals and day 2 policies as part of the failed deployment troubleshooting role.

Prerequisites

Procedure

  1. Assign organization member roles to your cloud template developer users.
    If you need instructions, see the first use case.
  2. Assign Cloud Assembly and Service Broker service roles for your cloud template developers and catalog consumers.
    If you need instructions, see the second use case.
  3. Create projects in Cloud Assembly that you use to group resources and users.
    The steps below for the custom roles also includes project roles.
    If you need instructions for creating projects, see the second use case.
  4. Create and release cloud templates for each project team.
    If you need instructions, see the first use case.
  5. Log in to Cloud Assembly as a service administrator and select Infrastructure > Administration > Custom Roles.
  6. Create a Restricted Infrastructure Administrator role.
    In this example, you have a user, Tony, who is expert at setting up the infrastructure for various projects, but you don't want to give him full service permissions. Instead, Tony builds the core infrastructure the supports the work of all the projects. You give him limited infrastructure management permissions. Tony, or an outside contractor, might also have similar permissions for onboarding discovered machines and bringing them under vRealize Automation management.
    1. Add Tony to Cloud Assembly as a service user and viewer.
      With his viewer permissions, he can see the underlying cloud accounts and integrations if he needs to troubleshoot his work, but he cannot make changes.
    2. Create a project and add Tony as project member.
    3. To create the custom role, select Infrastructure > Administration > Custom Roles, and click New Custom Role.
    4. Enter the name Restricted Infrastructure Administrator and select the following permissions.
      Select this permission ... So that the users can ...
      Infrastructure > Manage Cloud Zones Create, update, and delete cloud zones.
      Infrastructure > Manage Flavor Mappings Create, update, and delete flavor mappings.
      Infrastructure > Manage Image Mappings Create, update, and delete image mappings.
    5. Click Create.
    6. On the Custom Roles page, select the Restricted Infrastructure Administrator role and click Assign.
    7. Enter Tony's email account and click Add.
      For example, enter [email protected].
      You can also enter any defined Active Directory user groups.
    8. Have Tony verify that when he logs in, he can add, edit, and delete values in the areas defined by the custom role.
  7. Create an Extensibility Developer role.
    In this example, you have several cloud template developers, Sylvia and Igor, who are knowledgeable about how to use extensibility actions and subscriptions to manage daily development tasks. They are also experienced with vRealize Orchestrator, so you task them with providing custom resources and actions for various projects. You give them additional permissions manage extensibility by managing custom resources and actions, and by managing extensibility actions and subscriptions.
    1. Add Sylvia and Igor as Cloud Assembly users.
    2. Add them as members of the projects that they are contributing their extensibility skills to.
    3. Create a custom user role that you name Extensibility Developer and select the following permissions.
      Select this permission ... So that the users can ...
      XaaS > Manage Custom Resources Create, update, or delete custom resources.
      XaaS > Manage Resource Actions Create, update, or delete custom actions.
      Extensibility > Manage Extensibility Resources Create, update, or delete extensibility actions and subscriptions. Disable subscriptions. Cancel and delete action runs.
    4. Click Create.
    5. Assign Sylvia and Igor to the Extensibility Developer role.
    6. Verify that Sylvia and Igor can manage the custom resources and actions, and that they can manage the various options on the Extensibility tab.
  8. Create a Deployment Troubleshooter role.
    In this example, you give your project administrators more manage permission so that they can remedy deployment failures for their teams.
    1. Add your project administrators, Shauna, Pratap, and Wei, as Cloud Assembly and Service Broker service users.
    2. In their projects, add them as project administrators.
    3. Create a custom user role that you name Deployment Troubleshooter and select the following permissions.
      Select this permission ... So that the users can ...
      Infrastructure > Manage Flavor Mappings Create, update, and delete flavor mappings.
      Infrastructure > Manage Image Mappings Create, update, and delete image mappings.
      Deployments > Manage Deployments View all deployments, across projects, and run all day 2 actions on deployments and deployment components.
      Policy > Manage Policies Create, update, or delete policy definitions.
    4. Click Create.
    5. Assign Shauna, Pratap, and Wei to the Deployment Troubleshooter role.
    6. Verify that they can manage flavor mappings, image mappings, and policies in Service Broker.

Results

In this use case, you configure different users with various roles, including custom roles that expand their service and project roles.

What to do next

Create custom roles that address your local use cases.