8. vCloud Operations Control : 8.9 Access and Security Management : 8.9.2 Access Management
8.9.2 Access Management
Within a public or private vCloud environment, directory services must be configured for vCloud Director to enable user access to vCloud resources.
A mechanism for authorization and authentication is available within vCloud Director. Directory services based on Lightweight Directory Access Protocol (LDAP) and network authentication protocols such as Active Directory, OpenLDAP, or Kerberos v5 can be configured with vCloud Director. See the VMware vCloud Director Administrator’s Guide (at http://www.vmware.com/support/pubs/vcd_pubs.html for additional information about integrating these services with vCloud Director.
User authorization is controlled through role-based access control (RBAC) within vCloud Director. Careful consideration must be given to roles and responsibilities for managing vCloud Director, whether as a provider or as a tenant. The VMware vCloud Director Administrator’s Guide contains details about permissions, roles, and settings that can be modified to fit the requirements for access control within the organization.
From a provider perspective, the system administrator role should be restricted to only those individuals within the provider organization’s vCloud operations team that need that level of access. For other individuals within the provider organization that require only vCloud Director organization access, other roles should be used. If possible, an LDAP group for the provider administrators should be created and imported into vCloud Director with the system administrator role applied to it. All users who require this level of access can then be managed through the LDAP system. The built-in admin account should not be used for vCloud administration, and the credentials must be stored securely.
From a tenant perspective, there are predefined roles. The organization administrator is the highest level of privilege, and should be limited to those individuals within the tenant organization’s vCloud operations team that require that level of access. This can be achieved with the use of LDAP groups by importing them so that vCloud Director roles can be applied to them. A variety of roles exist with vCloud Director for organizations, and if required, additional roles can be created with alternate privileges. A policy of least privilege (grant only privileges required to perform the role) should be applied to all individuals who require access to the vCloud organization, with continued use of LDAP groups to assist with managing this policy.