We covered how vRA authentication and authorization is done through VMware Identity Manager in a blogpost, so if you are not familiar with the concept, go ahead and take a look at here.
As you know, a role is a collection of privileges, and when assigned to users, it will allow them to do certain tasks. Depending on the users and their responsibilities, they might be assigned one or more roles. In vRealize Automation, roles are categorized in two broad categories:
- Organization Roles
- Service Roles
- Project Roles
It’s vitally important to understand the concepts behind vRA roles, and how they are assigned and what considerations have to taken into account.
Looking at vRA as a hierarchy, Organization Roles are defined at the highest level. In fact, they are assigned globally and apply to all services in the organization. However, Service Roles offer access to individual services in vRA. Services include Cloud Assembly, Code Stream, Orchestrator, Service Broker.
The picture above illustrates how and in what scope organizations and services are defined. Furthermore, the GOLDEN RULE here is that, every user must be assigned an organization role with an associated service role.
There are two categories of organization roles as depicted below. As shown, an organization owner can assign roles, while an organization member can create blueprints and deploy from blueprints.
Service Roles – Cloud Assembly
Cloud Assembly role has three different levels:
- Cloud Assembly Administrator
- Cloud Assembly User
- Cloud Assembly Viewer
|Cloud Assembly Administrator||Cloud Assembly User||Cloud Assembly Viewer|
|Can create and manage projects.||Can create Blueprints.||Read only access to all projects.|
|can create cloud accounts.||Can deploy machines and services.|
|can create cloud zones.||Can manage deployments.|
|can configure and manage network/storage policies.|
|can create and manage flavor and image mappings.|
|create and manage tags.|
You can see all the privileges each role has. Because there are a lot of terminologies and concepts exist in vRealize Automation, I have made some keywords in bold, so you can see what we can do in Cloud Assembly not in case of privileges but also in functionalities Cloud Assembly offers.
if you want to assign a role to a user, you need to do it through Identity & Access Management as depicted below. As already been said, you need to first assign an Organization Role and then a service role (here Cloud Assembly).
Service Roles – Service Broker
Service Broker role also has three different levels:
- Service Broker Administrator
- Service Broker User
- Service Broker Viewer
|Service Broker Administrator||Service Broker User||Service Broker Viewer|
|Configure content sources.||access to self-service catalog.||has read only access to all objects.|
|Configure policy definitions.||deploy machines and services.|
|Add cloud accounts and cloud zones.||Manage deployments.|
Service Roles – Code Stream
Code Stream role has 5 different levels:
- Code Stream Administrator
- Code Stream User
- Code Stream Viewer
- Code Stream Executor
- Code Stream Developer
|Code Stream Administrator||Code Stream User||Code Stream Viewer||Code Stream Executor||Code Stream Developer|
Create custom dashboards.
|can access vRA Code Stream only.||has read access to see pipelines, endpoints, pipeline executions, and dashboards.||can run pipelines. |
reject/approve a user action.
can resume/pause/cancel pipeline executions.
|can work with pipelines but can access restricted endpoints through prior approval.|
|mark endpoints and variables as restricted.|
Service Role – vRealize Orchestrator
|Orchestrator Administrator||Orchestrator Viewer||Orchestrator Workflow Designer|
|Access to built-in workflows, actions, and policies.||has read only access to all objects in Orchestrator.||can create new workflows, actions and policies.|
|Access to built-in packages, configurations, and resources.||can import packages, configurations, and resources.|
|Access to Git Repositories.|
We covered most important roles in vRealize Automation and what privileges each role has. The key here is that, once you familiarize yourself with what you can do in each component, it gives you a perfect overview of the product in terms of programming logic behind the product as well as how vRealize Automation components are co-related. This can be factored as a learning methodology where you can master every product.
I hope this’s been informative for you.
6 thoughts on “Authorization with vRealize Automation 8.X Roles”
Thanks a lot Amir, it is very useful information you have provided in a easy to understand the complexity of IAM.
Glad you found it helpful Franklin.
Thanks a lot Amir, it is very useful information you have provided in a easy to understand & precise way.
It’s my pleasure, Vishal.
Brilliant information, Amir. I was looking for this.
happy to hear that, Juwel.