User role use case 3: Set up VMware Aria Automation custom user roles to refine system roles
VMware Aria Automation
custom user roles to refine system rolesAs a
VMware Aria Automation
organization owner or service administrator, you manage user access using the organization and service system roles. However, you also want to create custom roles to that selected users and perform tasks or see content that is outside of their system roles. - Review theAutomation AssemblerandAutomation Service Brokerservice roles and project roles tables in What are the VMware Aria Automation user roles. You must understand what each service user role can see and do in those services.
- Review the Custom Roles descriptions so that you know more about how you can refine the permissions for your users.
- Review the first use case so that you understand organization roles and the service administrator roles. See User role use case 1: Set up the VMware Aria Automation user roles to support a small application development team.
- Review the second use case so that you understand the service user and project member roles. See User role use case 2: Set up VMware Aria Automation user roles to support larger development teams and the catalog.
- Familiarize yourself withAutomation Service Broker. See Adding content to the catalog.
This scenario assumes that you understand the service user and viewer, and the project member and viewer roles that are defined in use case 2. You can see that they are more restrictive than the service and project administrator roles used in use case 1. Now you have identified some local use cases where you want some users to have full management permissions to on some features, view permissions on others, and you do not want them to even view yet another set of features. You use custom roles define those permission.
This use case is based on three possible local use cases. This procedure shows you how to create permissions for the following custom roles.
- Restricted Infrastructure Administrator. You want some service users, who are not service administrators, to have broader infrastructure permissions. As the administrator, you want them to help set up cloud zones, images, and flavors. You also want them to be able on on-board and manage discovered resources. Notice they cannot add cloud accounts or integrations, they can only define the infrastructure for those endpoints.
- Extensibility Developer. You want some service users to have full permissions to use the extensibility actions and subscriptions as part of cloud template development for their project team and for other projects. They will also develop custom resource types and custom actions for multiple projects.
- XaaS Developer. You want some service users to have full permissions to develop custom resource types and custom actions for multiple projects.
- Deployment Troubleshooter. You want your project administrators to have permissions they need to troubleshoot and perform root cause analysis on failed deployments. You give them manage permissions on non-destructive or less expensive categories such as image and flavor mappings. You also want the project administrators to have permission to set approvals and day 2 policies as part of the failed deployment troubleshooting role.
- Assign organization member roles to your cloud template developer users.If you need instructions, see the first use case.
- AssignAutomation AssemblerandAutomation Service Brokerservice roles for your cloud template developers and catalog consumers.If you need instructions, see the second use case.
- Create projects inAutomation Assemblerthat you use to group resources and users.The steps below for the custom roles also includes project roles.If you need instructions for creating projects, see the second use case.
- Create and release cloud templates for each project team.If you need instructions, see the first use case.
- Log in toAutomation Assembleras a service administrator and select .
- Create a Restricted Infrastructure Administrator role.In this example, you have a user, Tony, who is expert at setting up the infrastructure for various projects, but you don't want to give him full service permissions. Instead, Tony builds the core infrastructure the supports the work of all the projects. You give him limited infrastructure management permissions. Tony, or an outside contractor, might also have similar permissions for onboarding discovered machines and bringing them underVMware Aria Automationmanagement.
- Add Tony toAutomation Assembleras a service user and viewer.With his viewer permissions, he can see the underlying cloud accounts and integrations if he needs to troubleshoot his work, but he cannot make changes.
- Create a project and add Tony as project member.
- To create the custom role, select , and clickNew Custom Role.
- Enter the nameRestricted Infrastructure Administratorand select the following permissions.Select this permission ...So that the users can ...Infrastructure > Manage Cloud ZonesCreate, update, and delete cloud zones.Infrastructure > Manage Flavor MappingsCreate, update, and delete flavor mappings.Infrastructure > Manage Image MappingsCreate, update, and delete image mappings.Infrastructure > Manage Network ProfilesCreate, update, or delete network profiles.Infrastructure > Manage Storage ProfilesCreate, update, or delete storage profiles.Infrastructure > OnboardingCreate, update, or delete onboarding plans.
- ClickCreate.
- On the Custom Roles page, select the Restricted Infrastructure Administrator role and clickAssign.
- Enter Tony's email account and clickAdd.For example, enter Tony@yourcompany.com.You can also enter any defined Active Directory user groups.
- Have Tony verify that when he logs in, he can add, edit, and delete values in the areas defined by the custom role.
- Create an Extensibility Developer role.In this example, you have several cloud template developers, Sylvia and Igor, who are knowledgeable about how to use extensibility actions and subscriptions to manage daily development tasks. They are also experienced withAutomation Orchestrator, so you task them with providing custom resources and actions for various projects. You give them additional permissions manage extensibility by managing custom resources and actions, and by managing extensibility actions and subscriptions.
- Add Sylvia and Igor asAutomation Assemblerusers.
- Add them as members of the projects that they are contributing their extensibility skills to.
- Create a custom user role that you nameExtensibility Developerand select the following permissions.Select this permission ...So that the users can ...XaaS > Manage Custom ResourcesCreate, update, or delete custom resources.XaaS > Manage Resource ActionsCreate, update, or delete custom actions.Extensibility > Manage Extensibility ResourcesCreate, update, or delete extensibility actions and subscriptions. Deactivate subscriptions. Cancel and delete action runs.
- ClickCreate.
- Assign Sylvia and Igor to the Extensibility Developer role.
- Verify that Sylvia and Igor can manage the custom resources and actions, and that they can manage the various options on the Extensibility tab.
- Create a Deployment Troubleshooter role.In this example, you give your project administrators more manage permission so that they can remedy deployment failures for their teams.
- Add your project administrators, Shauna, Pratap, and Wei, asAutomation AssemblerandAutomation Service Brokerservice users.
- In their projects, add them as project administrators.
- Create a custom user role that you nameDeployment Troubleshooterand select the following permissions.Select this permission ...So that the users can ...Infrastructure > Manage Flavor MappingsCreate, update, and delete flavor mappings.Infrastructure > Manage Image MappingsCreate, update, and delete image mappings.Infrastructure > View Network ProfilesView network profiles.Infrastructure > View Storage ProfilesView storage profiles.Deployments > Manage DeploymentsView all deployments, across projects, and run all day 2 actions on deployments and deployment components.Policy > Manage PoliciesCreate, update, or delete policy definitions.
- ClickCreate.
- Assign Shauna, Pratap, and Wei to the Deployment Troubleshooter role.
- Verify that they can manage flavor mappings, image mappings, and policies inAutomation Service Broker.
In this use case, you configure different users with various roles, including custom roles that expand their service and project roles.
Create custom roles that address your local use cases.