7. Orchestration and Extension : 7.4 vCenter Orchestrator : 7.4.6 vCloud Director Plug-In
   
7.4.6 vCloud Director Plug-In
When specifying the Host field of the plug-in, the value must be the same as the value specified by the vCloud Director server. This value is determined as follows:
*If a value is specified under the vCloud Director AdministrationPublic AddressesExternal REST API Base URI, use this value in the plug-in configuration. For example, using a load balanced vCloud Director requires changing the public address to the one specified for the virtual server in the load balancer configuration. Verify that forward and reverse DNS are working for the specified address.
*If a hostname or fully qualified domain name (FQDN) is specified, verify that forward and reverse DNS are working and use the FQDN in the plug-in configuration.
*If no hostname is specified and the vCloud Director server is configured only to use an IP address, use the same IP address for the plug-in configuration.
NoteFailure to configure the plug-in as specified results in undesired effects.
After specifying the Host field, choose a strategy for managing the user logins. The available options are Share a unique session and Per user session.
*When Share a unique session is configured, a single session is created between vCenter Orchestrator and vCloud Director based on the configured organization and credentials. The vCenter Orchestrator user inherits the rights of those credentials for any workflow executed. From an auditing perspective, a shared session shifts the auditing responsibility from vCloud Director to vCenter Orchestrator. The workflows developed for such integration must have an appropriate level of logging set up to meet the organization’s audit requirements.
*When Session per user is configured, the user authenticated in vCenter Orchestrator is used to authenticate in vCloud Director. This creates a session for each user between vCenter Orchestrator and vCloud Director that is associated with an inventory based on this user role and permissions. This requires having the organization use an LDAP host synchronized with the LDAP host configured in vCenter Orchestrator.
Also consider the following:
*For organizations that use different LDAP hosts, one dedicated instance of vCenter Orchestrator is required per organization.
*Multiple sessions can strain CPU, memory, and bandwidth.
In addition, an organization setting is required. The organization defines the scope of the operations that vCenter Orchestrator can perform:
*SYSTEM is set when requiring create, read, update, and delete access to all organizations and to their associated virtual infrastructure resources.
*A specific organization is set when restricting create, read, update, and delete access to all elements that belong to the given organization.
The most common use cases for the plug-in usually correspond to one of the following scenarios:
*As a public or private vCloud provider using a vCenter Orchestrator server as part of the vCloud management cluster:
*Tasks such as managing provider resources and on-boarding new organizations require system level administrative permission to vCloud Director. This scenario uses a Share a unique session, an organization set to SYSTEM, and the system administrator credentials.
*Use Session per user if the administrative tasks require different roles and permissions. In this case, the SYSTEM organization must be set up to synchronize with the vCloud provider LDAP host that is configured with vCenter Orchestrator.
If configuring more than one vCloud Director connection, use a combination of shared session and per user session to grant vCenter Orchestrator workflows users the shared access session permissions for the configured organization. For example, if the plug-in is set with a system shared session and there is a requirement to grant vCenter Orchestrator users access to a given organization, have both connections use Session per user and set permissions differently for the sessions to avoid all users having wide access to all organizations.
*As a public vCloud tenant of one or more organizations, using vCenter Orchestrator in the tenant premise or as part of the organization vApps:
*For organization administrative tasks, use Share a unique session with organization administrator credentials. If administering more than one organization, one new vCloud Director Connection can be added per organization.
*Configure the plug-in as Session per user for delegating workflows operations tasks that are not covered by the vCloud Director interface to organization users having different roles and permissions. In this configuration, set up the organization to synchronize with the tenant LDAP host configured in vCenter Orchestrator.
*As a private vCloud organization tenant using a vCenter Orchestrator server as part of the vCloud management cluster, and a single LDAP host – The vCloud provider configures a new connection using this specific organization and Session per user. Set up the organization to synchronize with the LDAP host that is configured with vCenter Orchestrator. All other organizations configured in other connections also synchronize with the same LDAP HOST server.