vRealize Automation Cloud and 8.1 offered a number of roles at the Service and Project level for awhile now. With the July 2020 release in vRealize Automation Cloud and vRealize Automation (vRA) 8.2, we have the ability to expand beyond the predefined roles currently offered in the services. Previously we could set an Administrator, User/Member, and Viewer role across the services. The screenshot below shows my user account, which has been configured as an Organization Owner. This means I can add other users or groups to this Organization, give them access to services assigned to the Org, and set their service roles. Each service has it’s own set of roles, however they are generally the same, in terms of permissions, as the roles displayed for Cloud Assembly.
As an administrator, I can also create Projects in the Organization and assign users, including defining their role. I’ve made Vincent a Project Administrator. That means Vincent can configure most aspects of a project. I won’t go into all the permissions for each role. You can take a look at role permissions at the service and project level in the product documentation. As a defined user within Identity and Access Management, I can add Vincent and others to custom roles as well, more on that shortly.
If I later decide Vincent shouldn’t be an admin, I can change his role by clicking his user name in the project and selecting the appropriate role. Since he’s been doing a good job as an admin, we can leave him in this role, for now.
Custom User Roles
As a Cloud Assembly service Administrator, I may also want to give users granular permissions to perform certain tasks. Custom user roles were developed to give you options when it comes to assigning permissions. These permissions apply across an Organization. Users can be extended view and manage permissions over specific portions of Cloud Assembly, Service Broker, and CodeStream currently. You can read more about custom user roles in the product documentation. Examining the screenshot, granular permissions can be assigned for Approvals, Infrastructure, Policies, XaaS actions and resources, and (not shown) Pipelines. In the example, I will be giving Vincent the ability to Manage Approvals across the Organization. Multiple permissions can be selected for a role. The first step is to create the role.
Once the role is created, I can assign a role to users or groups. Before making an assignment, users and groups are defined in Identity and Access Management with rights to the services they would view or manage. If that’s already done, type the username or group name in the search field then select the desired results and click Add.
At any time you can view all custom roles, assign additional users, and delete the role by selecting Custom Roles. Clicking the role will open the permissions list and show what has been configured for that role; essentially the same view as we saw when creating the role.
If you want to view user assignments for a given role, you can select Users and Groups. Assigned users will be displayed along with their assigned roles. A number of roles have been defined, including a View Image Role, remember you will assign the permission to view or manage aspects of vRA. In this case, Sam only needs to view the images that are defined in the Org when he’s building blueprints for his project, (and we’re not sure whether he’s ready to manage images yet), so view permissions are appropriate for his needs.
Role-based Interface Changes
Next let’s see how the user interface changes based on role permissions. In the example below, I’ve created an infra role. As you can see, this role will allow the assigned users to manage Image Mappings, Flavor Mappings, Cloud Zones, and Requests. This role means you could give someone the ability to manage infrastructure configurations for vRA, but not give them control of any other aspects of the product.
Before the role was assigned, this is the view my user role account had when logging into Cloud Assembly. Notice my account is a member of the Business Critical Applications project. This user has access to everything configured for that project, note that project membership isn’t required for an account to be assigned a custom role. Regardless of any Project assignment, the user will have access based on the custom role permissions, which span the Org.
Adding my user to the infra role changes what I have access to. You can see now that configuration options are present on the left-side menu. I can click into Cloud Zones and manage endpoint configurations, Flavor Mappings, and Images to manage each respectively. Also, if I click into Requests and Event Log I will see all status and log details that are available.
This was a quick look at the new custom user roles capability in vRA. As usual, we are adding this capability to on premises vRA in the near the future and expanding the custom user roles options as well. Keep an eye on this blog post for updates on custom user roles as they roll out (seriously, pun not intended). Thanks for checking out my blog!
