VMware Automation

VMware Self Service Provisioning Portal with vRealize Automation

Automation is the name of the game today with organizations needing to streamline operations and ensure the proper governance controls are in place across the board. Using vRealize Automation, VMware Identity Manager, and Active Directory, you can create a VMware self-service provisioning portal that allows users to login, perform the action assigned with all the governance requirements attached.

VMware Self-Service Provisioning Portal with vRealize Automation

Creating a VMware self-service provisioning portal requires a few solutions in place to get started. These include:

  • vRealize Automation
  • VMware Identity Manager
  • Active Directory – Not absolutely required but will be desired users in most cases

While I won’t go through the provisioning process to get vRealize Automation up and running in this post, you can read one of my earlier posts covering the basics of the installation process here:

Once you have the components in place and the appliances are stood up, you can begin putting the pieces in place to create an easy self-service provisioning portal.

Add Active Directory to VMware Identity Manager

In most environments in the enterprise, Active Directory is the directory service most are using for IAM to resources. Active Directory users are most likely the users you will want to assign to vRealize Automation self-service workflows. To add Active Directory users to your environment and allow them to log into vRealize Automation, we need to add the Active Directory directory service to VMware Identity Manager.

Navigate to Directories > Add Directory in VMware Identity Manager. Select LDAP Directory. Fill in the pertinent information for your directory. Also, set the Bind user details which is a user with the permissions to view Active Directory. For ease in the lab, I am using an administrator user. However, in production, you will want to create a service account for this purpose.

Adding a directory under the directories in VMware Identity Manager
Adding a directory under the directories in VMware Identity Manager

The wizard will display the domain to be added.

Select your domain as listed in VMware Identity Manager
Select your domain as listed in VMware Identity Manager

VMware Identity Manager has four attributes that are required for mapping a user and importing them. As you can see below, these are:

  • lastName
  • firstName
  • email
  • userName

If any of the users targeted do not have the attributes populated, you will see an error as we will detail below.

Map user attributes
Map user attributes

Map your group DNs you want to import.

Select the groups you want to sync
Select the groups you want to sync

As mentioned above, you will receive an error if you have attributes missing on the users that would be imported based on the group DN. You will need to populate the missing attributes before you can import the users.

Errors related to required VMware Identity Manager attributes
Errors related to required VMware Identity Manager attributes

After resolving any missing attributes for users you want to import, run the synchronization process.

VMware Identity Manager synchronization started
VMware Identity Manager synchronization started

As you can see below, we have imported a couple of test users into the directory.

Synchronization has imported users into VMware Identity Manager
Synchronization has imported users into VMware Identity Manager

Create a vRealize Automation Quickstart Project

For testing and lab purposes, you can easily use the vRealize Automation Quickstart wizard to quickly spin up a new project that provisions a virtual machine.

Select VMware vSphere as the starting environment for provisioning a quick start workflow
Select VMware vSphere as the starting environment for provisioning a quick start workflow
Selecting the VMware vSphere template that is the source of the new workstation
Selecting the VMware vSphere template that is the source of the new workstation
Assign policies to the new project
Assign policies to the new project
Run the quickstart to test your settings
Run the quickstart to test your settings

Add Active Directory Group to the Service Broker

The final step after we have added our Active Directory LDAP directory to VMware Identity Manager and created a project to work with provisioning vSphere resources is to add the Active Directory group we want to have access to perform self-service actions to the Service Broker.

Go to Administration > Identity and Access Management Enterprise Groups to add a group from Active Directory to a vRealize Automation role. Click the Assign Roles link.

Assign a role to an Enterprise group
Assign a role to an Enterprise group

Search for the group you want to add. On the Assign Organization Role, click the role name you want to use. Then, click Add Service Access.

Add the group and assign an organization role
Add the group and assign an organization role

Here, I am adding the Service Broker with the Service Broker User role.

Adding the service broker role
Adding the service broker role

The Enterprise Groups now lists the Active Directory group added.

Active Directory group is added to the Service Broker User role
Active Directory group is added to the Service Broker User role

Note on our project, the group is added to the users of the project.

Checking permissions on an existing project in the Service Broker
Checking permissions on an existing project in the Service Broker

In an incognito browser, I logged into vRA now with the testuser account and the user can see the catalog items listed under the Service Broker.

The Active Directory user now has access to the projects listed in the service broker catalog
The Active Directory user now has access to the projects listed in the service broker catalog

Wrapping Up

Creating a VMware Self Service Provisioning Portal with vRealize Automation and VMware Identity Manager is fairly straightforward. There is work to do to get your Active Directory “directory” listed in VMware Identity Manager. This process is fairly easy but a little tedious in that you have to specify the DNs for groups and users. A handy tool you can use is your Active Directory Users and Computers management console. Turn on the “Advanced” view under your View settings. You can view the DN attribute and copy this from ADUC into the fields you need in VMware Identity Manager. It makes this a little easier.

After mapping the directory service to VMware Identity Manager, you can then add the groups to roles in vRA and assign these to various services. After logging in with my test user, as shown, the user has access to “request” the workflows they have been assigned.

Learn more about vRealize Automation here:

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.