VMware Cloud Community
SD8416
Contributor
Contributor
‎07-22-2018 04:40 PM

vRO method to add users to vCenter SSO groups?

I would like to use vRO to automate adding users to vCenter SSO groups and can't seem to find a method available from the vRO API to complete this task.

The manual way of doing this task: Add Members to a vCenter Single Sign-On Group (However, I would like to use vRO to automate this task and not have to manually assign users to groups.)

Is there is a method available for this and if so can you please mention it? If not, is there an alternative recommendation on how this could be achieved with vRO?

Scenario

1. vCenter SSO Identity Source (OpenLDAP) supplies users that authenticate with vCenter

2. Discovered OpenLDAP users need to be added manually to vCenter SSO groups to receive required permissions to virtual resources

3. I've created a workflow to achieve this except do not have a method available to add users to SSO groups internally in vCenter

Any propositions or recommendations on how to achieve this would be much appreciated!

Reply
0 Kudos
5 Replies
daphnissov
Immortal
Immortal
‎07-22-2018 04:45 PM

Do you really need to add those users to the internal SSO groups or can you not add them to external groups and Grant that group permissions in vCenter? If I'm misunderstanding your use case for these SSO groups then please clarify.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
Reply
0 Kudos
SD8416
Contributor
Contributor
‎07-22-2018 05:05 PM

The internal SSO groups have already been created previously and setup with permissions to execute workflows within vRO, those permissions are required for each user. Because of this, i don't wish to create new external groups and apply users to them, simply I would like to add an existing user object (OpenLDAP user) to an internal SSO group on vCenter. Are there any vRO methods available to complete this? 

Reply
0 Kudos
daphnissov
Immortal
Immortal
‎07-22-2018 05:17 PM

I'm not 100% on it, but I don't even think there are APIs which allow that manipulation to occur. Illian might know differently, however.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
Reply
0 Kudos
SD8416
Contributor
Contributor
‎07-22-2018 06:56 PM

So are you saying this process: Add Members to a vCenter Single Sign-On Group is only supported by using the vSphere Web client? (SSO Admin UI plugin) and that there are NO features in vRO to complete that exact task?

If that is the case, would you recommend an external group (AD or OpenLDAP) be created outside of vCenter SSO Users/Groups?? Then with that external group, you would apply vRO access rights to the entire group and just handle the user administration/membership for the group on the directory service itself (AD or OpenLDAP) instead of handling membership via vCenter SSO Users/Groups?

Reply
0 Kudos
daphnissov
Immortal
Immortal
‎07-22-2018 07:02 PM

As I said, I believe adding users to an SSO group has no API, and if it has no API there's no method exposed by the vRO plug-in.

Regardless, yes, I would recommend you handle your groups outside of SSO groups for several reasons.

1) Group membership is maintained in a single place in the system of record where they originate.

2) It doesn't depend on a vRO plug-in to function (which will break)

3) It makes your code far less complex meaning less to break in upgrades, less to write and maintain, and less to troubleshoot.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
Reply
0 Kudos