Authorization determines which user or process can access or modify which components in your vCloud Suite deployment. Different products within vCloud Suite handle authorization at different levels of granularity.

Different types of administrators are responsible for giving access to different types of users for different products or product components.

vCenter Server Authorization

The vCenter Server permissions model allows administrators to assign roles to a user or group for a certain object in the vCenter Server object hierarchy. Roles are sets of privileges. vCenter Server includes predefined roles, but you can also create custom roles.

In many cases, permissions must be defined on both a source object and a destination object. For example, if you move a virtual machine, you need some privileges on that virtual machine, but also privileges on the destination data center.

In addition, Global Permissions allow you to give certain users privileges to all objects in the vCenter object hierarchy. Use Global Permissions with care, especially if you propagate them down the object hierarchy.

See the vSphere Security documentation for details and for instructional videos about vCenter Server permissions.

vRealize Automation Authentication

vRealize Automation allows you to use predefined roles to determine which user or group can perform which tasks. In contrast to vCenter Server, you cannot define custom roles, but a rich set of predefined roles is available.

Authentication and authorization proceed as follows:

  1. The system administrator performs the initial configuration of single sign-on and basic tenant setup, including designating at least one identity store and a tenant administrator for each tenant.

  2. Thereafter, a tenant administrator can configure additional identity stores and assign roles to users or groups from the identity stores.

    Tenant administrators can also create custom groups within their own tenant and add users and groups defined in the identity store to custom groups. Custom groups, like identity store groups and users, can be assigned roles

  3. Administrators can then assign roles to users and groups, depending on the role that they themselves belong to.

    • A set of system-wide roles, such as system administrator, IaaS administrator, and fabric administrator are predefined.

    • A separate set of tenant roles such as tenant administrator or application catalog administrator, are also predefined.

See the vRealize Automation documentation.