After having shown how vRealize Automation can be setup and having added Active Directory in Identity Manager, the next step is to grant access to vRealize Automation to users and groups.
Once again, this can be done in the vRealize Automation portal. If you grant access for the first time, please make sure to use the privileged user account specified during the vRealize Automation deployment. In my case, this was the user configurationadmin.
To asign some roles, let’s click on the Identity & Access Management tab. You can assign roles to individual users or groups. Of course, for the sake of manageability, assigning roles to groups is always recommended, so go ahead to the Enterprise Groups tab.
With the group selected, we can edit roles for vRealize Automation.
If you click on Assign Roles, you can grant access to new users and groups.
When assigning roles, you have to bear in mind that there are two different role types
- Organization Roles
- Service Roles
Organizational Roles are global in nature. However, you can narrow them down to specific projects and add users to those roles.
Basically, Organization Roles define permissions within a tenant, while Service Roles determine what kind of functionality can be used.
For Organization Roles, you can choose between Organization Owner and Organization Member. The difference is that only Owner can admin level permissions and can manager other users as well as branding stuff, while members basically have access to all other kind of functionality.
There are Service Roles for Cloud Assembly, Code Stream, Orchestrator and Service Broker
Let’s begin with Cloud Assembly (we will discuss the specific roles of the other services in a later blog post):
- Cloud Assembly Administrator: Administrators can do everything within Cloud Assembly (including adding cloud accounts, creating new projects, and assigning a project administrator).
- Cloud Assembly User have the following permissions.
|Infrastructure||Configure – Projects||Yes (only the projects you are a member of)||No||No|
|Configure – Cloud Zones||No||No||No|
|Configure – Flavor Mappings||Yes||No||No|
|Configure – Image Mappings||Yes||No||No|
|Configure – Network Profiles||Yes||No||No|
|Configure – Storage Profiles||Yes||No||No|
|Configure – Tags||Yes||No||No|
|Resources – Compute||Yes||No||No|
|Resources – Network||Yes||No||No|
|Resources – Storage||Yes||No||No|
|Resources – Machines||Yes (only the ones that you deployed)||Yes||Yes (only the ones that you deployed)|
|Resources – Volumes|
|Activity – Requests||Yes (only the ones that you deployed)||N/A||Yes (only the ones that you deployed)|
|Activity – Events||Yes (only the ones that you deployed)||N/A||Yes (only the ones that you deployed)|
|Connections – Cloud Accounts||No||No||No|
|Connections – Integrations|
|Connections – Cloud Proxies|
|Cost – VMC Assessment||Yes||No||No|
|Cost – Private Clouds||Yes||No||No|
|Blueprints||Blueprints||Yes (only for your projects)||Yes (only for your projects)||Yes (only for your projects)|
|Deployments||Deployments||Yes (only the ones that you deployed)||N/A||Yes (only the ones that you deployed)|