To do any of the interesting stuff in vRA – we need some AD integration to give a user the required permissions – that is the user we will be using for most parts.
One note: This is a lab environment. I therefore won’t bother with the creation of different users for different roles in vRA – The procedures are the same, but I won’t go through the tedious bits 🙂
I suggest heading over to VMware.com to read up on the different roles possible. It really depends on your environment anyway, as to who can do what etc.
User Roles Overview @ VMware.com
In my environment I have created two AD User Groups
- vRA7-Admins
- vRA7-Users
With two users belonging to its respective group, called cunningly
- vRA7-Admin
- vRA7-User
So, let’s hand out some permissions.
Whilst logged in as configurationadmin, navigate to Administration > Directory Management.
Enter here your Active Directory details – here I am using the Integrated Active Directory Authentication
Click Save & Next
Select your domain you want to use for authentication – I don’t have any trust with other domains, so here I see only one.
Click Next
I just keep the defaults.
Click Next
Here click in order to add groups to be synced.
Here you need to enter the DN of a particular group
If you have enabled the ‘Advanced Options‘ in your ‘Active Director Users and Groups‘, you should be able to find the DN in the groups’ properties
Note: You can also find the DNs using ADSI Edit
In my example the above mentioned groups have the following DNs
- vRA7-Admins
- CN=vRA7-Admins,OU=Service Accounts,DC=vspherelab,DC=co,DC=uk
- vRA7-Users
- CN=vRA7-Users,OU=Service Accounts,DC=vspherelab,DC=co,DC=uk
Click and add the DNs. I am not sure why it displays “0 of 1 Groups to sync” – but there we go. Click Next
When you clicked ‘Next’ – you can quickly see that it changes from 0 of 1 to 1 of 1 – You can confirm that by clicking ‘Previous’
As all users in groups will be synced as well, I don’t need to specify additional User DNs
If you want to change the Sync Frequency, click Edit
Change the frequency and click Save
Now click Sync Directory
Depending on your environment – the sync can take a while, but in mine it took less than 30 seconds
In the above screenshot you can see that I only have two groups and one user. But I should have two groups and two users.
So I made a mistake in AD somewhere and I show further down how to see what went wrong.
But if you didn’t make mistakes, you should have the relevant users and groups imported into vRA – you can give out some permissions.
As mentioned, I want / need an admin.
Navigate to Administration. If you are still in the same Directory view, click ‘back’
Click Users & Groups > Directory Users and Groups
In the search field, type the group or user which should be your admin.
Here you can see what is wrong – I am missing my vra7-admin
I checked AD and I actually forgot to add my admin user to the admin group. As I mentioned earlier – I only synced groups and its included users, not users specifically.
I now moved the user back into the group, but as you may remember, I set the sync frequency to hourly. Don’t want to wait so I just kicked off a sync manually
There we go – two groups, two users.
Now when searching again (under Users & Groups) – I finally see my admin
I click the usergroup which should have full admin permission. Here ‘vra7-admins‘
I give all permissions .. and click Next
You can see that the group has that one member (atm) – vra7-admin
Click finish. You’ll pushed back to the main screen.
Now test the user. Logout by clicking
Since you now have integrated vRA with Active Directory, you have a selection of domains. Here in my case
- vsphere.local (default)
- vspherelab.co.uk (AD integrated)
Click and select the newly added domain.
Click Next
Enter the AD credentials of the user added (the one which we gave EVERYTHING)
You should be able to login and see the default screen
Now you got a GOD like user, apart from Fabric permissions – because there isn’t a fabric group – yet. That will be the next step.
For now you will notice that the Infrastructure tab will be empty.
We also need to give our admin IaaS Administrator permissions. As mentioned, I am using the standard tenant (vsphere.local). Logout and log back in with the default System Administrator
Click the default tenant vsphere.local
And under the tab administrators, add your ‘domain’ admin to the IaaS Admins
Logout again, time to create a Fabric Group 🙂