vCloud Director 8.20 introduces the possibility to create granular roles at tenant and system level. This is important for service providers who want to differentiate which tenants have access to specific features (for example advanced networking services). This also gives opportunity to tenants to create their own roles that correspond to their team structure (e.g. network administrator). And lastly, system administrator can create additional roles in system context with access to subset of features.
A role is a set of rights which can be assigned to a user or a group. There are many new rights in vCloud Director 8.20. A few examples:
Access to Distributed Firewall:
- Enable / Disable Distributed Firewall
Gateway Advanced Services
- Configure IPSEC VPN
- Configure Load Balancer
- Configure BGP Routing
- Configure OSPF Routing
- Configure SSL VPN
- Configure Firewall
- Configure DHCP
- Configure NAT
- Configure L2 VPN
- Configure Static Routing
Or system level rights like:
- Upgrade Host
- Repair Host
- Migrate Host VMs
- Open a Host in vSphere
- Enable / Disable a Host
- Prepare / Unprepare a Host
- View Host
Prior vCloud Director 8.20
- Only global roles could be created by system administrator next to handful of predefined roles (vApp Author, Organization Administrator, …).
- Every organization would have access to the global and predefined roles.
- Organization administrator could assign the roles to organization users.
- Service provider could not differentiate access to features among different tenants.
- There was only one system administrator role with access to everything.
vCloud Director 8.20
- Roles are no longer global, but instead are organization specific.
- Former global and predefined roles become role templates.
- Service provider can create new role templates.
- Role templates are used to instantiate organization specific roles.
- Service provider can selectively grant rights to specific organizations.
- Organization administrator can create own organization specific roles from subset of granted rights.
- New roles can be created in the system context from subset of system administrator rights.
The transition from pre-vCloud Director 8.20 role management happens during upgrade to 8.20. Existing roles are transferred to role templates and each organization gets its own roles instantiation based on the role templates. The UI has changed and now includes Organization column and filter. A new System organization is added with default System Administrator role.
Tenant Rights and Role Management
When a new organization is created it will have access to all rights that are used in role templates. System administrator can grant additional rights to the organization with vCloud API only:
GET /api/admin … get references to all rights in VCD instance
GET /api/admin/org/<org-id>/rights … get references to all rights in the organization
PUT /api/admin/org/<org-id>/rights … edit rights in the organization
System administrator or Organization Administrator can create new roles in its organization with vCloud API only:
Note: While system administrator can edit tenant roles in the UI, editing of a role based on role template would change the role template and thus change it for all organizations (more below).
How to Create Global Role
The UI no longer allows creation of global roles, only organization specific roles can be created that way.
However, there is a way to create global role (actually role template) with the legacy API (e.g. version 9.0, 20.0 but not 27.0). Here is an example:
POST /api/admin/roles Header: Accept: application/*;version=9.0 Content-Type: application/vnd.vmware.admin.role+xml Body: <?xml version="1.0" encoding="UTF-8"?> <Role xmlns="http://www.vmware.com/vcloud/v1.5" name="New Global Role"> <Description>My new global role</Description> <RightReferences> <RightReference href="https://vcloud.fojta.com/api/admin/right/0b8c8cd2-5af9-32ad-a0bd-dc356503a552" name="General: Administrator View" type="application/vnd.vmware.admin.right+xml"/> <RightReference href="https://vcloud.fojta.com/api/admin/right/5e579955-fe9d-3f0b-bc6b-a3da4db328f1" name="Group / User: View" type="application/vnd.vmware.admin.right+xml"/> <RightReference href="https://vcloud.fojta.com/api/admin/right/2cd2d9d7-262c-34f8-8bee-fd92f422cc2c" name="General: Administrator Control" type="application/vnd.vmware.admin.right+xml"/> </RightReferences> </Role>
Note: Using above API call with API version 27.0 would create the role in the system organization.
How to Edit Global Roles?
Again with legacy vCloud API we can list all global (template) and system organization roles:
GET /api/admin Header: Accept: application/*;version=9.0 Response: <RoleReferences> ... <RoleReference href="https://vcloud.fojta.com/api/admin/role/75717adf-8700-419e-afe1-d5e2ea3b0bd6" name="User Admin" type="application/vnd.vmware.admin.role+xml"/> ... </RoleReferences>
After finding the right role reference we can delete the role template with the following call:
DELETE /api/admin/role/<role-id> Header: Accept: application/*;version=9.0
Addition and removal of rights from a role template:
- In UI add/remove the right from the role which is based on role template from any organization.
- To add a new right, the organization needs to have access to the right. If it does not have, add it first with the API calls mentioned above.
- Adding or removing rights to a role based on role template will affect all other organizations.
- Adding right: other organizations will see the new right if their instance of role template has been granted the right. If the organization did not have access to the right, the right will not be added!
- Removing right: in other organizations the right will be removed from the role based on the role template
The post was written with kind support of John Kilroy.
11 thoughts on “vCloud Director 8.20: Granular Role Based Access Control”
I think the following
GET /api/org//rights … get references to all rights in the organization
PUT /api/org//rights … edit rights in the organization
are missing the /admin and should instead be
GET /api/admin/org//rights … get references to all rights in the organization
PUT /api/admin/org//rights … edit rights in the organization
Thanks Giulianno, fixed.
You’re welcome Tomas, but wait I now see /api/api but should be /api/admin 🙂
By the way, I also wrote a similar post see http://blog.bertello.org/2017/03/enable-nsx-advanced-gateway-services-tenant-portal-on-vcd-8-20-for-tenants-with-rbac/ 😉
aagh, fixed again
Great articles Tom and Giuliano, we had a lot of tenants using RBAC so rather than modify each Org manually I wrote a PowerCLI script to add the new Gateway Advanced Services rights to an org by simply supplying the Organization and API endpoint. The script pulls down the XML for the current rights, adds all the new Gateway Advanced rights and re-uploads it to the API. I’ve documented it all on my blog at http://kiwicloud.ninja/2017/08/vcloud-director-8-20-edge-gateway-roles/ – hopefully will be useful to someone else.
vCloud Director 8.20:
Organization administrator can create own organization specific roles from subset of granted rights.
Organization administrator can’t have access to create Roles.
Only System administrator can create own organization specific roles from subset of granted rights.
Share me your thoughts on it.
That is not correct. As of VCD 8.20 Org Admin can create new roles in their organization. It is vCloud API only feature. https://code.vmware.com/doc/preview?id=5706#/doc/GUID-816FBBBC-2CDA-4B1D-9B1A-C22BC31B46F2.html
Hi Tomas, It seems every time i need to do something, most of the work has already be done for me by you, thanks. Is there way via the API to enable the newly added rights for a role? I can find lots of examples on how to add the rights, but nothing on enabling them for a role.
VCD 8.20, 9.0 and 9.1: you can add rights to a role via UI (as system admin) in the flex UI. Via API you would get the right and roles UUIDs (GET api/admin) and edit the role by adding the right UUID (GET|PUT /api/admin/role/)
Is possible create roles in system and applied in any organization. By example.
Create a un role called Operator VM, and only can shutdown, restart, poweroff, poweron vaap.
Yes, you can create limited roles in the system context. But the user with such role will be able to see all orgs.