Authorization with vRealize Automation 8.X Roles

We covered how vRA authentication and authorization is done through VMware Identity Manager in a blogpost, so if you are not familiar with the concept, go ahead and take a look at here.

As you know, a role is a collection of privileges, and when assigned to users, it will allow them to do certain tasks. Depending on the users and their responsibilities, they might be assigned one or more roles. In vRealize Automation, roles are categorized in two broad categories:

  • Organization Roles
  • Service Roles
  • Project Roles

It’s vitally important to understand the concepts behind vRA roles, and how they are assigned and what considerations have to taken into account.

Looking at vRA as a hierarchy, Organization Roles are defined at the highest level. In fact, they are assigned globally and apply to all services in the organization. However, Service Roles offer access to individual services in vRA. Services include Cloud Assembly, Code Stream, Orchestrator, Service Broker.

The picture above illustrates how and in what scope organizations and services are defined. Furthermore, the GOLDEN RULE here is that, every user must be assigned an organization role with an associated service role.

Organization Roles

There are two categories of organization roles as depicted below. As shown, an organization owner can assign roles, while an organization member can create blueprints and deploy from blueprints.

Organization Roles
Service Roles – Cloud Assembly

Cloud Assembly role has three different levels:

  • Cloud Assembly Administrator
  • Cloud Assembly User
  • Cloud Assembly Viewer
Cloud Assembly AdministratorCloud Assembly UserCloud Assembly Viewer
Can create and manage projects.Can create Blueprints. Read only access to all projects.
can create cloud accounts.Can deploy machines and services.
can create cloud zones. Can manage deployments.
can configure and manage network/storage policies.
can create and manage flavor and image mappings.
create and manage tags.
Cloud Assembly Role

You can see all the privileges each role has. Because there are a lot of terminologies and concepts exist in vRealize Automation, I have made some keywords in bold, so you can see what we can do in Cloud Assembly not in case of privileges but also in functionalities Cloud Assembly offers.

if you want to assign a role to a user, you need to do it through Identity & Access Management as depicted below. As already been said, you need to first assign an Organization Role and then a service role (here Cloud Assembly).

Service Roles – Service Broker

Service Broker role also has three different levels:

  • Service Broker Administrator
  • Service Broker User
  • Service Broker Viewer
Service Broker AdministratorService Broker UserService Broker Viewer
Configure content sources.access to self-service catalog.has read only access to all objects.
Configure policy definitions. deploy machines and services.
Add cloud accounts and cloud zones.Manage deployments.
Service Broker Role
Service Roles – Code Stream

Code Stream role has 5 different levels:

  • Code Stream Administrator
  • Code Stream User
  • Code Stream Viewer
  • Code Stream Executor
  • Code Stream Developer
Code Stream AdministratorCode Stream UserCode Stream ViewerCode Stream ExecutorCode Stream Developer
Create projects.
Create pipelines.
Create custom dashboards.
can access vRA Code Stream only.has read access to see pipelines, endpoints, pipeline executions, and dashboards.can run pipelines.
reject/approve a user action.
can resume/pause/cancel pipeline executions.
can work with pipelines but can access restricted endpoints through prior approval.
Add triggers.
Integrate endpoints.
mark endpoints and variables as restricted.
run pipelines.
Code Stream Role
Service Role – vRealize Orchestrator
Orchestrator AdministratorOrchestrator ViewerOrchestrator Workflow Designer
Access to built-in workflows, actions, and policies.has read only access to all objects in Orchestrator.can create new workflows, actions and policies.
Access to built-in packages, configurations, and resources.can import packages, configurations, and resources.
Access to Git Repositories.
Orchestrator Role

We covered most important roles in vRealize Automation and what privileges each role has. The key here is that, once you familiarize yourself with what you can do in each component, it gives you a perfect overview of the product in terms of programming logic behind the product as well as how vRealize Automation components are co-related. This can be factored as a learning methodology where you can master every product.

I hope this’s been informative for you.

2 thoughts on “Authorization with vRealize Automation 8.X Roles”

  1. Thanks a lot Amir, it is very useful information you have provided in a easy to understand the complexity of IAM.

Leave a Reply

Your email address will not be published. Required fields are marked *