vRealize Automation SDK 7.3
cloud Java
vRealize Automation Identity Service API |
Identity Overview
The Identity Service is composed of two components: authentication and authorization. Further details on these components can be found below.
Authentication Overview
The authentication component manages tenants, business groups (formerly named subtenants), groups (both Single-Sign-On and Custom groups), users and identity stores.
Tenancy
A tenant is an organizational unit in a vRealize Automation deployment. A tenant can represent a business unit in an enterprise or a company that subscribes to cloud services from a service provider.
Each tenant has its own dedicated configuration. Some system-level configuration is shared across tenants.
User and Group Management
All user authentication is handled through single sign-on. Each tenant has one or more identity stores, such as Active Directory servers, that provide authentication.
The system administrator performs the initial configuration of single sign-on and basic tenant setup, including designating at least one identity store and a tenant administrator for each tenant. Thereafter, a tenant administrator can configure additional identity stores and assign roles to users or groups from the identity stores.
Tenant administrators can also create custom groups within their own tenant and add users and groups defined in the identity store to custom groups. Custom groups, like identity store groups and users, can be assigned roles or designated as the approvers in an approval policy.
Tenant administrators can also create business groups within their tenant. A business group is a set of users, often corresponding to a line of business, department or other organizational unit, that can be associated with a set of catalog services and infrastructure resources. Users, identity store groups, and custom groups can be added to business groups.
Authentication API Examples
Identifying and groups and users
Both groups (SSO and custom) and users use the same object for identification - the principal id. Principal id consists of name and domain and is serialized in the form of name@domain.
Example usages include:
- Getting a group by principal id:
GET /tenants/vcac.local/groups/Administrators@vcac.local - Getting a user by principal id:
GET /tenants/vcac.local/principals/Administrator@vcac.local -
Search all groups using criteria instead of principal id:
GET /tenants/vcac.local/groups?criteria=administrator -
Creating a group:
POST /tenants/vcac.local/groups
{
"@type": "Group",
"groupType": "CUSTOM",
"name": "Developers",
"domain": "vcac.local",
"description": "Developer Group",
"principalId": {
"domain": "vcac.local",
"name": "DevGroup"
}
}
Authorization Overview
The authorization component manages authorization configurations as a set of triples
Principal- The user or group to whom access is granted- principals are externally definded in authentication service and merely referenced in the authorization service.
Permission- Identifies the action or data the principal is granted access to.- Permissions can correspond to atomic actions (e.g. "Power On VM").
- They can also act as an abstraction for an entire set of activities (e.g. "VM Power Lifecycle").
Scope- Defines the context within which the access applies.- A scope can identify an object (or an object representing a set of objects) upon which the action identified by a permission can be performed. (i.e. To define an Access Control List (ACL).)
- A scope can be used to represent a group and the permissions identify the roles of different users within the group. (i.e. To define business groups, aka: sub-tenants)
- Scope is optional
NOTE: Roles and Permissions are both a part of the PrincipalExtensionApi REST resource.
Role Management
Roles consist of a set of privileges that can be associated with users to determine what tasks they can perform. Based on their responsibilities, individuals might have one or more roles associated with their user account.
All user roles are assigned within the context of a specific tenant. However, some roles in the default tenant can manage system-wide configuration that applies to multiple tenants.
For more high-level details, see the "Foundations and Concepts" documentation located on the vRA public documentation site
Authorization API Examples
Getting a specific role by id
GET /authorization/roles/CSP_TENANT_ADMIN
Creating a new role (e.g: one for helpdesk personnel)
POST /authorization/roles
{
"@type" : "TenantRole",
"id" : "HELPDESK_TENANT_ROLE",
"name" : "Helpdesk Administrator Tenant Role",
"description" : "Role representing helpdesk personnel"
}
Adding a permission to a role (e.g.: adding permission to tenant administration GUI
PUT /authorization/roles/HELPDESK_TENANT_ROLE/permissions/assigned/GUI_MY_TENANT_MANAGEMENT
NOTE: For this PUT, there is an empty request body.
{}
Related Documentation
Related SDKs
Related Sample Code
- vRealize Automation - Identity ServicevRealize Automation - Identity Service Identity service manages tenants, business groups (formerly named subtenants), groups (both Single-Sign-On and Custom groups), users and identity stores. It also ...vRealize Automation api_vra_identity POSTMAN Collection
- VMware vRealize Automation PluginJenkins vRealize Automation Plugin The vRealize Automation Jenkins plugin enables Jenkins to provision vRealize Automation 7 Blueprints. Requirements Jenkins 1.58+ Java 8 to compile plugin or Java 7 ...vRealize Automation Java
- vRealize Automation API Samples for PostmanvRealize Automation API Samples for Postman Overview The vRealize Automation REST API provides consumers and administrators access to all services in its service catalog that support the vRealize Auto ...vRealize Automation POSTMAN Collection
- Project BosphorusProject Bosphorus Background This project is aimed at providing a custom portal framework for vRealize Automation (vRA) along with a reference implementation. It is intended for advanced users/develop ...vRealize Automation Java
- vRealize Automation Reference ApplicationvRealize Automation Reference Application Overview This is a sample project that demonstrates how to create a simple self-service portal for vRealize Automation using only RESTful APIs. You are encour ...vRealize Automation JavaScript
- chef-client example of a bootstrap install on Ubuntu 16.04A basic example to install the chef-client via the install.sh from Chef Software. This should be noted that this only requires wget and bash, so this can work for CentOS, RHEL, debian, Ubuntu, and the ...vRealize Automation vRA Blueprint
- chef-client example of a bootstrap install on Windows using Powershell 3 and upA basic example to install the chef-client via the install.ps1 from Chef Software. This should be noted that this requires Powershell and should work on any version of Windows with Powershell 3+. You ...vRealize Automation vRA Blueprint
- Find all VMs with a particular property value in vRAFind all VMs with a particular property value in vRAvRealize Automation vRealize Orchestrator Plug-in SDK JavaScript
- Rename a vRA IaaS virtual machineRename a vRA IaaS virtual machinevRealize Automation vRealize Orchestrator Plug-in SDK JavaScript
- vRA 7 and above prepare_vra_template.ps1Powershell script designed to deploy the needed agents on your windows template. This mimics the prepare_vra_template.sh file for linux and will deploy java, bootstrap and gugent agents from the vRA a ...vRealize Automation PowerShell
- Get the Reservation of a vRA VMGet the Reservation of a vRA VMvRealize Automation vRealize Orchestrator Plug-in SDK JavaScript
-
- Get the Reservation Policy ID of a vRA ReservationGet the ID of the Reservation Policy of a vRA ReservationvRealize Automation vRealize Orchestrator Plug-in SDK JavaScript
- CentOS Base vRA BlueprintSimple vRA Blueprint for 64-bit CentOS 7.0 VMvRealize Automation vRA Blueprint
- Kubernetes as a Service BlueprintThis blueprint currently requires RHEL/CENTOS 7 Atomic. I do plan to port this to Photon OS as soon as it is GA. Live demo of this solution here > https://youtu.be/X8QfAQmcVjA Full instructions to in ...vRealize Automation vRA Blueprint
- Create Cloud management portal based on VRA APIsThis sample web app shows how to create your own cloud management portal based on vRealize Automation Rest APIs. Key part of this sample is the javascript file https://github.com/chicm/vraclient/blob/ ...vRealize Automation JavaScript
- Add Disk and New SCSI AdapaterSimple vRO package that has the workflows needed to deploy a new disk, to the same datastore as the chosen VM while adding the next available SCSI adapter. See this post for the best usagevRealize Orchestrator Plug-in SDK vRO Package
- prepare_vra_template.ps1 7.0.1UPDATED Script - for combined 7.0, 7.0.1, and 7.1 go to https://developercenter.vmware.com/samples?id=1136vRealize Automation PowerShell
- Chef Server BlueprintThis is for RHEL/CENTOS7 See my guide here for instruction on importing this to your environment.vRealize Automation vRA Blueprint
- vRealize Automation - Catalog ServicevRealize Automation - Catalog Service The catalog service REST API is designed to be used by the consumers of the service catalog; for example, an end user who wants to request a catalog item would be ...api_vra_catalog vRealize Automation api_vra_composition POSTMAN Collection