HOWTO: Configure Role Based Access Management in vRealize Orchestrator 7.3 Control Center

VMware vRealize Orchestrator 7.3 is out! (Release Notes) and the deployment and configuration process is now a lot slicker and easier to complete.  In this HOWTO, we look at the the process of configuring Role Based Access Management within the Control Center.

There are three Pre-Defined Roles are:

  • Administrator – Has access to All configuration menus.
  • Tenant Admin – Has access to only to Role Based Access Management and Inspect Workflows.
  • Consumer – Has access to only to Inspect Workflows.

Important things to remember that I discovered through testing are:

  • You can no longer log on as root once you have configured an Authentication Provider.
  • The Role Based Access Management configuration for the Control Center does not make any changes to user permissions or access within the Orchestrator client to be able to create or run workflows. This is for Control Center access only. 
  • Unless you used the the vsphere.local\Administrators group to be the Admin Group as part of the initial configuration for vSphere SSO. You would lose the ability to manage the initially log into Control Center resulting in a blank screen (see No Access under the Access Management Results below).
  • The Admin group that is configured within the Authentication Provider settings that controls initial login:

As detailed within VMware vRealize Orchestrator 7.3 Documentation Center

  • You can assign the Administrator role to vsphere.local\Administrators group through RBAM and then update the Authentication Provider Admin group to an Active Directory Group if desired.

Prerequisites

  1. Successful deployment of the VMware vRealize Orchestrator 7.3 Appliance.
  2. Successful initial configuration of the VMware vRealize Orchestrator Control Center.

Configuration Steps

Using a web browser, navigate to https://vro.app.fqdn:8283/vco-controlcenter.

Enter the username as administrator@vsphere.local and associated password, then click Login.

Click Role Based Access Management.

Click Add.

Enter the name of the user/group into the User or Group textbox and click Search.

Select the appropriate user/group from the results list of the search.

Check the Administrator checkbox.

Click Add.

(optional) Add any additional users/groups to the different roles as required following the previous steps.

Click Home.

Click Sign out.

And that is VMware vRealize Orchestrator 7.3 Control Center RBAM configured with sample groups for each of the different roles.

Access Management Results

What does each users view of the Control Center look like? let’s take a quick look!

vRO Administrator View – Full Access

vRO Tenant Admin View – RBAM and Inspect Workflows

vRO Consumer View – Inspect Workflows

No Access Rights

Hope that helps!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.