Background: A user who is granted the Organization Administrator role not only has administrator permissions, but also the broadest scope in which to use those permissions. An Organization Administrator may administer any Virtual Datacenter in the Cloud Director Deployment. This includes full access to create, access, modify, and delete virtual machines. If the Virtual Machines have VMware Tools installed, an Organization Administrator may also reset the local administrator password for the Guest Operating System running inside the Virtual Machine.
To create/authorize a domain user as an Organization Administrator for Cloud Director, use the following procedure. In this case the user will be able to login using Single Sign On (SSO/SAML) by way of the CloudConnect Authentication Service:
- Locate the Domain Controller containing the routed UPN Suffix that matches your Cloud Director Organization Name.
- If the user does not already have an account in this Active Directory Domain, create the account in Active Directory Users and Computers.
- Assign the user the UPN suffix
- Add the user to the vCloud Admins Security Group in Active Directory. If the user is already a Domain Admin in this domain, the user will be granted the Organization Administrator Role automatically and does not need to be added to vCloud Admins Security Group.
To create/authorize an Organization Administrator using Cloud Director Integrated Authentication, use the following procedure. Note, if you have Setup Multi-Factor Authentication enabled, these local user accounts will bypass the second factor. Therefore, it is recommended that you only use this procedure to create a backdoor "break glass" account with an extremely complex and highly randomized unique password. The password should be stored in a secure location and the break glass account should never be used except in an emergency or to audit the account and it's password.
- From the Cloud Director Web Control Panel, access the top left drop down menu and select "Administration."
- Under Access Control, select "Users"
- Click "New"
- Enter the Username, Password, and Assign the Role from the dropdown menu.
- Click "Save"
In order to login using Integrated Authentication, you must use the Integrated Authentication logon point for your Cloud Director Organization, when logging in to VMware Cloud Director. The CloudConnect Authorization Service logon point cannot service a logon for Cloud Director Integrated Authentication.
Additional Notes: When creating a user with Cloud Director Local Authentication (embedded directory), the username should be unique and not match any existing Active Directory user account names in the Active Directory Domain containing the routed UPN Suffix which matches your Cloud Director Organization Name. Doing so may cause username / password confusion.