Use cases: How can user roles help me control access in VMware Aria Automation
VMware Aria Automation
As a cloud administrator, you want to control the tasks that your users can perform in
VMware Aria Automation
. Depending on your management goals and application development team responsibilities, there are different ways that you can configure the user roles to support those goals.- Verify that you have the Organization Owner role. You must see theIdentity and Access Managementtab with you log in to the console. If not, contact the organization owner.
- Verify that you have the service administrator role for the various services. If you are not certain about your role, contact the organization owner.
- Verify that your users are added toVMware Aria Automation.When you installVMware Aria Automation, your Active Directory users are added as part of the process.
- For a more detailed task and role list for various roles, see Organization and service user roles in VMware Aria Automation.
The following
Automation Assembler
and Automation Service Broker
examples are based on three use cases. These examples provide only enough instruction to illustrate the application of users roles. The target audience for these use cases is the cloud administrator, who is also considered the cloud administrator, and the service administrators.
The use cases build on each other. If you are ready to go directly to use case 3, you might need to review use cases 1 and 2 to better understand why you configure the roles in the ways specified.
The purpose of the use cases is to demonstrate user roles, not to provide detailed information about configuring your infrastructure, managing projects, creating cloud templates, and working with deployments.
Before you begin, you must understand the levels of user roles that are configured by a cloud administrator in the
VMware Aria Automation
Console. - Organization RolesThe organization roles control who can access the console.As an organization owner, you must ensure that all users of any of the services are assigned at least an organization member role.RoleDescriptionOrganization OwnerAn administrator can add users, change the role of users, and remove users from the organization. The owner manages which services users have access to.Organization MemberA general user can log in to the organization console. To access the services, an organization owner must assign the users service roles.
- Service RolesThe service roles control who can access their assigned services.As an organization owner, you must ensure that the users who need access to the services are assigned the appropriate role. You use the roles to control how much the user can do in each service.Automation AssemblerService Role DescriptionsRoleDescriptionAssembler AdministratorA user who has read and write access to the entire user interface and API resources. This is the only user role that can see and do everything, including add cloud accounts, create new projects, and assign a project administrator.Assembler UserA user who does not have the Assembler Administrator role.In anAutomation Assemblerproject, the administrator adds users to projects as project members, administrators, or viewers. The administrator can also add a project administrator.Assembler ViewerA user who has read access to see information but cannot create, update, or delete values. This is a read-only role across all projects in all the services.Users with the viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does.Service Broker Service Role DescriptionsRoleDescriptionService Broker AdministratorMust have read and write access to the entire user interface and API resources. This is the only user role that can perform all tasks, including creating a new project and assigning a project administrator.Service Broker UserAny user who does not have theAutomation Service BrokerAdministrator role.In anAutomation Service Brokerproject, the administrator adds users to projects as project members, administrators, or viewers. The administrator can also add a project administrator.Service Broker ViewerA user who has read access to see information but cannot create, update, or delete values. This is a read-only role across all projects in all the services.Users with the viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does.Pipelines Service Role DescriptionsRoleDescriptionPipelines AdministratorA user who has read and write access to the entire user interface and API resources. This is the only user role that can see and do everything, including create projects, integrate endpoints, add triggers, create pipelines and custom dashboards, mark endpoints and variables as restricted resources, run pipelines that use restricted resources, and request that pipelines be published inAutomation Service Broker.Pipelines DeveloperA user who can work with pipelines, but cannot work with restricted endpoints or variables. If a pipeline includes a restricted endpoint or variable, this user must obtain approval on the pipeline task that uses the restricted endpoint or variable.Pipelines ExecutorA user who can run pipelines and approve or reject user operation tasks. This user can resume, pause, and cancel pipeline executions, but cannot modify pipelines.Pipelines UserA user who can accessAutomation Pipelines, but does not have any other privileges inAutomation Pipelines.Pipelines ViewerA user who has read access to see pipelines, endpoints, pipeline executions, and dashboards, but cannot create, update, or delete them. A user who also has the Service viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does.
- Project membership rolesThe project membership determines what infrastructure resources and cloud templates are available.Project membership is defined in the service by a user with a service administrator role. The service administrator must ensure that the users who need access to one or more projects are assigned the appropriate project role in each project.Project RolesRoleDescriptionProject AdministratorA project administrator can manage their own projects, create and deploy cloud templates associated with their projects, and manage project deployments for all project members.Project MemberA project member can create and deploy cloud templates associated with their projects, manage their own deployments, and manage any shared deployments.Project ViewerA project viewer is a member of the project with read-only access to their project resources, cloud templates, and deployments.
- Custom rolesThe custom roles are created by theAutomation Assemblerto refine the member and viewer roles.
The procedures provided in these use cases are meant to highlight the user roles. They are not detailed or definitive procedures for setting up
VMware Aria Automation
.As you configure roles, remember that users who are running API operations are subject to the roles that you assign here.