vRealize Automation Identity Service API

Identity Overview

The Identity Service is composed of two components: authentication and authorization. Further details on these components can be found below.

Authentication Overview

The authentication component manages tenants, business groups (formerly named subtenants), groups (both Single-Sign-On and Custom groups), users and identity stores.

Tenancy

A tenant is an organizational unit in a vRealize Automation deployment. A tenant can represent a business unit in an enterprise or a company that subscribes to cloud services from a service provider.

Each tenant has its own dedicated configuration. Some system-level configuration is shared across tenants.

User and Group Management

All user authentication is handled through single sign-on. Each tenant has one or more identity stores, such as Active Directory servers, that provide authentication.

The system administrator performs the initial configuration of single sign-on and basic tenant setup, including designating at least one identity store and a tenant administrator for each tenant. Thereafter, a tenant administrator can configure additional identity stores and assign roles to users or groups from the identity stores.

Tenant administrators can also create custom groups within their own tenant and add users and groups defined in the identity store to custom groups. Custom groups, like identity store groups and users, can be assigned roles or designated as the approvers in an approval policy.

Tenant administrators can also create business groups within their tenant. A business group is a set of users, often corresponding to a line of business, department or other organizational unit, that can be associated with a set of catalog services and infrastructure resources. Users, identity store groups, and custom groups can be added to business groups.

Authentication API Examples

Identifying and groups and users

Both groups (SSO and custom) and users use the same object for identification - the principal id. Principal id consists of name and domain and is serialized in the form of name@domain.

Example usages include:

  • Getting a group by principal id: GET /tenants/vcac.local/groups/Administrators@vcac.local
  • Getting a user by principal id: GET /tenants/vcac.local/principals/Administrator@vcac.local
  • Search all groups using criteria instead of principal id: GET /tenants/vcac.local/groups?criteria=administrator

  • Creating a group: POST /tenants/vcac.local/groups

{ 
  "@type": "Group", 
  "groupType": "CUSTOM", 
  "name": "Developers", 
  "domain": "vcac.local", 
  "description": "Developer Group",
  "principalId": { 
    "domain": "vcac.local", 
    "name": "DevGroup"
  }
} 

Authorization Overview

The authorization component manages authorization configurations as a set of triples

  • Principal - The user or group to whom access is granted
    • principals are externally definded in authentication service and merely referenced in the authorization service.
  • Permission - Identifies the action or data the principal is granted access to.
    • Permissions can correspond to atomic actions (e.g. "Power On VM").
    • They can also act as an abstraction for an entire set of activities (e.g. "VM Power Lifecycle").
  • Scope - Defines the context within which the access applies.
    • A scope can identify an object (or an object representing a set of objects) upon which the action identified by a permission can be performed. (i.e. To define an Access Control List (ACL).)
    • A scope can be used to represent a group and the permissions identify the roles of different users within the group. (i.e. To define business groups, aka: sub-tenants)
    • Scope is optional

NOTE: Roles and Permissions are both a part of the PrincipalExtensionApi REST resource.

Role Management

Roles consist of a set of privileges that can be associated with users to determine what tasks they can perform. Based on their responsibilities, individuals might have one or more roles associated with their user account.

All user roles are assigned within the context of a specific tenant. However, some roles in the default tenant can manage system-wide configuration that applies to multiple tenants.

For more high-level details, see the "Foundations and Concepts" documentation located on the vRA public documentation site

Authorization API Examples

Getting a specific role by id

GET /authorization/roles/CSP_TENANT_ADMIN

Creating a new role (e.g: one for helpdesk personnel)

POST /authorization/roles

{ 
  "@type" : "TenantRole", 
  "id" : "HELPDESK_TENANT_ROLE", 
  "name" : "Helpdesk Administrator Tenant Role", 
  "description" : "Role representing helpdesk personnel" 
}
Adding a permission to a role (e.g.: adding permission to tenant administration GUI

PUT /authorization/roles/HELPDESK_TENANT_ROLE/permissions/assigned/GUI_MY_TENANT_MANAGEMENT

NOTE: For this PUT, there is an empty request body.

{} 
 

Related Documentation

Related SDKs

Related Sample Code

  • vRealize Automation - Identity Service

    Contributor VMware

    vRealize Automation - Identity Service Identity service manages tenants, business groups (formerly named subtenants), groups (both Single-Sign-On and Custom groups), users and identity stores. It also ...
    vRealize Automation api_vra_identity POSTMAN Collection
    Download

    0 Comments

    Updated 8 months ago

  • vRealize Automation API Samples for Postman

    Contributor nsb24

    vRealize Automation API Samples for Postman Overview The vRealize Automation REST API provides consumers and administrators access to all services in its service catalog that support the vRealize Auto ...
    vRealize Automation POSTMAN Collection
    Download

    1 Favorite

    0 Comments

    Updated 4 months ago

  • vRealize Automation - Catalog Service

    Contributor VMware

    vRealize Automation - Catalog Service The catalog service REST API is designed to be used by the consumers of the service catalog; for example, an end user who wants to request a catalog item would be ...
    api_vra_catalog vRealize Automation api_vra_composition POSTMAN Collection
    Download

    1 Favorite

    0 Comments

    Updated 8 months ago

  • vRealize Automation - Content Management Service

    Contributor VMware

    vRealize Automation - Content Management Service You can use the content management service REST API to import and export content, such as blueprints, software components, and other artifacts, from vR ...
    vRealize Automation api_vra_content_management api_vra_composition POSTMAN Collection
    Download

    0 Comments

    Updated 8 months ago

  • vRealize Automation - NSX Integration

    Contributor VMware

    vRealize Automation - NSX Integration NSX integration in vRealize Automation can help creating and configuring existing networks, on-demand NAT networks and on-demand routed networks, creating load ba ...
    vRealize Automation api_vra_network POSTMAN Collection
    Download

    0 Comments

    Updated 8 months ago

  • vRealize Automation - Composition Service

    Contributor VMware

    vRealize Automation - Composition Service The composition service allows vRA services to register application components, which the composition service manages so that they can be used in composite bl ...
    vRealize Automation api_vra_composition POSTMAN Collection
    Download

    0 Comments

    Updated 8 months ago

  • vRealize Automation - Management Service API

    Contributor VMware

    vRealize Automation - Management Service API You can use the reclamation service to query the VMs in an installation for non-usage and, if they are not in use, mark them as eligible for reclamation. ...
    vRealize Automation api_vra_management POSTMAN Collection
    Download

    0 Comments

    Updated 8 months ago

  • vRealize Automation - Component Registry

    Contributor VMware

    vRealize Automation - Component Registry Component Registry manages all services (including out-of-the-box services and services from third party solution providers) and serves as the central view for ...
    api_vra_component_registry vRealize Automation POSTMAN Collection
    Download

    0 Comments

    Updated 8 months ago

  • VMware vRealize Automation Plugin

    Contributor kr1s

    Jenkins vRealize Automation Plugin The vRealize Automation Jenkins plugin enables Jenkins to provision vRealize Automation 7 Blueprints. Requirements Jenkins 1.58+ Java 8 to compile plugin or Java 7 ...
    vRealize Automation Java
    Download

    3 Favorites

    1 Comment

    Updated 1 year ago

  • vRealize Automation - WorkItem Service

    Contributor VMware

    vRealize Automation - WorkItem Service The work item service provides a standard way for services to present work items to users. It manages the life-cycle of a work item and passes events back to the ...
    api_vra_approval api_vra_workitem vRealize Automation POSTMAN Collection
    Download

    0 Comments

    Updated 8 months ago

  • vRealize Automation - Event Broker

    Contributor VMware

    vRealize Automation - Event Broker The event broker provides features for managing subscriptions, event topics, events, and messages. Available Use Case Get event topics Registers or updates an Even ...
    vRealize Automation api_vra_event_broker POSTMAN Collection
    Download

    0 Comments

    Updated 8 months ago

  • vRealize Automation - Branding

    Contributor VMware

    vRealize Automation - Branding The Branding service enables the user to customize the VRA UI header and footer. The configurable properties include logo image, company name, product name, background c ...
    api_vra_branding vRealize Automation POSTMAN Collection
    Download

    0 Comments

    Updated 8 months ago

  • vRealize Automation - Properties Service

    Contributor VMware

    vRealize Automation - Properties Service The property service provides APIs to manage property definitions and property groups. Available Use Cases Manage property definitions Manage property groups ...
    api_vra_properties vRealize Automation POSTMAN Collection
    Download

    0 Comments

    Updated 8 months ago

  • vRealize Automation - Approval Service

    Contributor VMware

    vRealize Automation - Approval Service The approval service provides features for managing and tracking the human approval tasks associated with a service process/artifact in a provider realm. It also ...
    api_vra_approval vRealize Automation POSTMAN Collection
    Download

    0 Comments

    Updated 8 months ago

  • Project Bosphorus

    Contributor prydin

    Project Bosphorus Background This project is aimed at providing a custom portal framework for vRealize Automation (vRA) along with a reference implementation. It is intended for advanced users/develop ...
    vRealize Automation Java
    Download

    1 Comment

    Updated 2 years ago

  • chef-client example of a bootstrap install on Ubuntu 16.04

    Contributor jjasghar

    A basic example to install the chef-client via the install.sh from Chef Software. This should be noted that this only requires wget and bash, so this can work for CentOS, RHEL, debian, Ubuntu, and the ...
    vRealize Automation vRA Blueprint
    Download

    0 Comments

    Updated 3 years ago

  • vRA 7 and above prepare_vra_template.ps1

    Contributor virtualgcoburn

    Powershell script designed to deploy the needed agents on your windows template. This mimics the prepare_vra_template.sh file for linux and will deploy java, bootstrap and gugent agents from the vRA a ...
    vRealize Automation PowerShell
    Download

    1 Comment

    Updated 2 years ago

  • Find all VMs with a particular property value in vRA

    Contributor tnavarro1

    Find all VMs with a particular property value in vRA
    vRealize Automation vRealize Orchestrator Plug-in SDK JavaScript
    Download

    0 Comments

    Updated 2 years ago

  • vRA and Ansible Example Integration

    Contributor vm2cloud

    vRealize Automation vRO Package
    Download

    0 Comments

    Updated 3 years ago

  • chef-client example of a bootstrap install on Windows using Powershell 3 and up

    Contributor jjasghar

    A basic example to install the chef-client via the install.ps1 from Chef Software. This should be noted that this requires Powershell and should work on any version of Windows with Powershell 3+. You ...
    vRealize Automation vRA Blueprint
    Download

    0 Comments

    Updated 3 years ago

;