VMware Cloud Well-Architected Frame - Identity and Access Management Services for VMware Cloud on AWS
Identity & Access Management
VMware Cloud on AWS service has two identity and access methods that work together to provide access to the service. The first identity and access method is through the VMware Cloud Services portal.
Cloud Services Portal is a public website that can be accessed directly from vmware.com's main webpage. The second identity and access method will be the private authentication to the SDDC itself through the service. The initial credentials and access will be available once the service is fully up.
Cloud Services Portal Roles
The VMware Cloud on AWS service utilizes VMware.com's Cloud Service Portal for identity, billing, and access service commonly referred to as the Cloud Service Portal. The associated accounts are vmware.com accounts and, during when the subscription is activated, the account will be tied to a specific email addresses provided to VMware during service acquisition.
Cloud Service Portal roles available by default are Org Owner, Org Member, and Support User. Description and use of the CSP Roles is documented here: https://kb.vmware.com/s/article/2151069
The first account associated with a subscription will be an Org Owner. This first account is used to establish additional Org Owners, Org Members, or Support users. The CSP Portal allows an Org Owner to selectively assign roles to specific services in the VMware Cloud Portal, such as the VMware Cloud on AWS service. This method allows organizations to grant only the minimal permissions needed to run the service alone.
Granular permissions for the VMware Cloud on AWS service
At this point, organizations should already have all stakeholders, roles, and functions defined from the planning exercise and be prepared to implement a permissions model to match. For example, if an organization has designated a network engineer or a group to manage all SDDC networking components, they may implement a CSP account that has the Org Member Role, permissions to the VMware Cloud on AWS service, and assign the VMware Cloud NSX Cloud Admin role.
Accounts can be easily created, modified, or removed either manually or automatically through the APIs.
SDDC Permissions
The second layer of identity and access management is the traditional SDDC roles and permissions that exist within a vSphere environment, mostly referred to as vCenter permissions. This management method is familiar to many enterprises that already use vSphere to manage their virtual environments today. This management and permissions structure is a common framework throughout all of VMware's cloud platforms and enables organizations to manage their virtual infrastructure in a consistent and familiar fashion. Managing and utilizing this permissions model is covered under the existing vSphere platform documentation.
VMware Cloud on AWS operates on a shared permissions model. This means that, while VMware maintains full admin rights to the SDDC infrastructure, the customer is provided with a restricted administrator role that allows them with privileges to manage their workloads. The roles and permissions defined by VMware Cloud on AWS are documented here: VMC on AWS product documentation.
Within vCenter, identity sources and set policies imay be customized for the vmc.local domain. Many organizations choose to use an identity source that already holds their user base, logical business groups, and has their functional roles described and documented. By customizing an identity source, customers may streamline their processes, documentation, and business functions.