You must determine who can use vCloud Application Director and what tasks those users are authorized to perform. You can selectively assign administrative permissions by assigning roles to specific users. You can limit access to specific deployment environments and cloud templates by associating each user with a specific group in vCloud Application Director.

You can specify which functions the user can perform in vCloud Application Director by associating a local user, an LDAP user, or an LDAP group with one or more roles. These functions include managing user accounts, managing the catalog, managing the cloud providers and deployment environments, creating applications, and deploying applications.

The built-in admin user has the ROLE_SYSTEM_ADMIN, ROLE_CLOUD_ADMIN, ROLE_CATALOG_ADMIN, ROLE_APP_ARCHITECT, ROLE_DEPLOYER, and ROLE_SYSTEM_INTEGRATOR roles assigned to it. See Predefined Users, Groups, and Roles.

A local user has information, including password, stored in the vCloud Application Director database. A user with the ROLE_SYSTEM_ADMIN role can use the vCloud Application Director command-line interface to perform the following tasks:

Create vCloud Application Director users.

Specify any combination of roles a user has, depending on the tasks that the user is required to perform.

Specify the group to which a user belongs.

Change passwords.

Enable or disable user accounts.

Create LDAP configurations.

Import LDAP users and groups.

Manage LDAP users and groups.

See Managing Users and Groups, Managing LDAP Configurations, and Predefined Users, Groups, and Roles.

All of the users of a group can view applications, deployments, cloud templates, and cloud providers that a local user created. Local users belonging to a vCloud Application Director group cannot view applications, deployments, cloud templates, and cloud providers of another group.

Note

Each local user can be associated with only one vCloud Application Director group. If a local user who belongs to a different vCloud Application Director group needs access to applications, deployments, templates, or cloud providers that belong to other groups, a system administrator must provide such users with multiple accounts to use and make sure that the accounts belong to the specific group that the user intends to access.

LDAP users are user accounts that are authenticated by a remote LDAP server during login. Minimal information about an LDAP user is stored in the vCloud Application Director database. The following user information is stored:

Username

SID information of the user

vCloud Application Director group with which the user is associated

vCloud Application Director roles that are assigned to the user

Note

vCloud Application Director does not save LDAP user password information.

LDAP users can belong to only one vCloud Application Director group. LDAP users that belong to one group cannot view applications, deployments, cloud templates, or cloud providers of any other group.

Only the user account with the ROLE_SYSTEM_ADMIN role can perform these actions:

Import existing LDAP users and groups to vCloud Application Director.

Assign the imported users and groups with any combination of roles, depending on the tasks that they are required to perform.

During the import process, the vCloud Application Director server communicates with the LDAP server to determine whether the user account exists in the LDAP directory. After the confirmation is received, the user's SID information is copied from the LDAP directory and an entry is created in the vCloud Application Director database for that user.

No other synchronization takes place because vCloud Application Director does not store user data. Required user data is retrieved when the user logs in to the system.

With vCloud Application Director, you can create vCloud Application Director groups and assign local users, LDAP users, and LDAP groups to one vCloud Application Director group.

vCloud Application Director groups consolidate various vCloud Application Director components that belong together. Assigning a user to a group gives the user access to the following consolidated set of vCloud Application Director components:

Applications, including specific application versions and deployments

Logical templates, services, policies, and external services

Cloud providers, including deployment environments

Each local user account, LDAP user account, and LDAP group account is associated with only one vCloud Application Director group. You can associate an LDAP user or LDAP group with a vCloud Application Director group when you import the user or group from the LDAP directory. If multiple LDAP groups are imported that are associated with different vCloud Application Director groups, and a user belongs to multiple LDAP groups, then the user that belongs to multiple LDAP groups is assigned to only the first group association.

Logical templates, applications, cloud providers, and deployment environments are also associated with the group of the user that created them, to allow limited access to components of vCloud Application Director. You can associate a local user with a group when you create the user account.

For example, when a user in abcGroup creates an abcApp application, all of the local users, LDAP users, and LDAP groups in that group can access the application. A local user in xyzGroup can create an application xyzApp for all of the users in xyzGroup to access. A local user in abcGroup cannot access the xyzApp application and the same is true for a local user in xyzGroup. If a local user's group is changed, any applications created as a member of that group remain in that group. The limited group access also applies to cloud providers, deployment environments, logical templates, and deployments.

The built-in Default group includes all of the predefined sample applications and logical templates. The built-in user accounts, including the admin user, belong to this Default group.

LDAP groups are imported from the LDAP server and associated with vCloud Application Director roles. An LDAP group can be assigned a set of roles, in the same way that a local user or LDAP user can be assigned roles. Importing an LDAP group allows all the LDAP users in the group to log in to the vCloud Application Director appliance without being individually imported.

When LDAP users log in, their LDAP group credentials are evaluated. The actual roles assigned to the user are an aggregate of all the roles assigned to the imported LDAP user account and the roles for all of the groups to which the user belongs. This accretion of roles depends on whether the LDAP groups are imported to vCloud Application Director and assigned roles.

Each LDAP group is associated with one vCloud Application Director group.