When it comes to user & role management vCloud Director gives you various options. First of all, you can configure users on the cloud provider level or per organization.
When talking about user management at cloud level you have just one role available: the system administrator. Thus every cloud provider user is an system administrator and will have access to all vCloud Director settings. This user account will also act as an Organization Administrator for every organization (and has also access to all the vApps).
At vCloud Director organization level you have different roles available. These roles are customizable and you can create new roles if necessary. These roles are defined at cloud provider level and are available for all the configured organizations.
When configuring users at cloud provider level, you have the following options:
- Create vCloud Director integrated users. These users (including passwords) will be saved to the vCD database.
- Use LDAP users by connecting to a LDAP directory, e.g. Microsoft Active Directory. You can configure LDAP through Administration->LDAP.
- Use SSO useraccounts, you can choose to import to SSO accounts and assign them the system administrator role. This works out of the box.
It is a best practice to create at least one vCloud Director integrated user, this ensures access to the environment when the LDAP connection is down.
For organizations you have four options when it comes to useraccounts:
- Create vCloud Director integrated users.
- Use the VCD system LDAP service. Important: in this case the Cloud Provider LDAP service is used. Configure this option through the organization->Administration->LDAP->VCD system LDAP service.
- Use a custom LDAP service per vCloud Director organization. Configure this option through organization->Administration->LDAP->Custom LDAP Service.
- Use a SAML identity provider for the useraccounts, using Administration->Federation.
In this case it is again very useful to create at least one non-LDAP/SAML useraccount which guarantees access to the vCD environment.
About vCloud Director empty LDAP groups
When using LDAP it is a very good idea to leverage LDAP groups for role assignment. In this case you will link a role to a LDAP group. Depending on the LDAP group membership of a user (managed through your directory), vCloud Director roles are assigned.
After right clicking and LDAP group and choosing properties, you can link a role to the LDAP group and see which users are members of the group. Important here: by default the group will not show all LDAP group members. Only after a group member (user) logs on to vCloud Director, the username will be displayed in the group. In the example on the right, user “vbe” is the only user that already has logged on to the cloud environment.