vRA Prereqs for Sovlabs

Create local vRA user to be the Service Account

The SovLabs vRA Extensibility modules require a vRA user and vRA group for ownership of the SovLabs Endpoints, Profiles and Services as well as connectivity into vRO to run workflows.

# Step Location Notes
1.1 Create a local vRA user to be the service account to own the SovLabs content vRA console All lowercase, no spaces (e.g. sov_admin)
Create a local vRA user with the name sov_admin to be the service account. This username is suggested for the sake of simplicity.
If you are an advanced vRA user and you already have another service account, verify the following permissions below and Skip to Step 1.2

The Service Account user must be an:

  • IaaS Administrator
  • Tenant Administrator

The Service Account user must also have at minimum the roles of:

  • XaaS Architect
  • Tenant Administrator

Steps

1. Login to the vRA’s base URL: https://[vRA-FQDN]/vcac

  • User: administrator and Domain: vsphere.local
Add Local User - vRA fig. 1 Screenshot

2. Click on the Tenant tab and click on your tenant in the list to edit it

Add Local User - vRA fig. 2 Screenshot

3. Add a local user

  • Click on the Local Users tab
  • Click New
  • Create the new user (recommended to use sov_admin as the username) and record the password somewhere safe
  • Click OK
Add Local User - vRA fig. 3 Screenshot
Add Local User - vRA fig. 4 Screenshot

4. User is in Tenant Administrators

  • Click on the Administrators tab for the tenant
  • Add the user (e.g. sov_admin) to the Tenant Administrators
  • Click Finish
Add Local User - vRA fig. 5 Screenshot

5. Logout of the base vRA instance


Create a Custom Group in vRA

The SovLabs vRA Extensibility modules require a vRA user and vRA group for ownership of the SovLabs Endpoints, Profiles and Services as well as connectivity into vRO to run workflows.

# Step Location Notes
1.2 Create a custom group for Administrative users in vRA vRA Console All lowercase, no spaces (e.g. sov_admins)
  If using AD users and groups, it is assumed a Directory is set up in vRA vRA Console Refer to VMware’s Create an Active Directory Link in vRA
Create a vRA Custom Group with the name sov_admins and make the sov_admin Service Account user a member of this group. This Custom Group name is suggested for the sake of simplicity.
If you are an advanced vRA user and you already have a group, verify the Service Account user from Step 1.1 is a member

Steps

1. Login to the vRA tenant https://[vRA-FQDN]/vcac/org/[tenant]

  • Username: sov_admin user (or another desired Service Account user)

2. Create a vRA Custom Group

  • Click on the Administration tab > Users and Groups > Custom Groups
  • Click New
  • Type in the Name field: sov_admins
  • In Add Roles to this Group: section, check the boxes next to:
    • Tenant Administrator
    • XaaS Architect
  • Click Next
  • Add sov_admin Service Account user (or another desired Service Account user) to the members
  • Add any other administrative users or groups who should have permission to manage SovLabs content
  • Click Finish
Add Custom Group - vRA fig. 1 Screenshot

3. If using an existing Group, verify that it has appropriate roles and that the Service Account user is listed as a member

  • Click on the Administration tab > Users and Groups
  • Click on the group name to edit
  • In Add Roles to this Group: section, verify the following boxes are checked for:
    • Tenant Administrator
    • XaaS Architect
  • Click Next
  • Add sov_admin Service Account user (or another desired Service Account user) to the members
  • Add any other administrative users or groups who should have permission to manage SovLabs content
  • Click Finish

Using AD Users and Groups

If using AD users and groups, it is assumed that you already set up a Directory in vRA which allows vRA to authenticate via Active Directory.

Refer to VMware's documentation on how to Create an Active Directory Link in vRA

Create a vRA Business Group

Creating a SovLabs-specific vRA Business Group allows entitlements and ownership of SovLabs content to be confined to its own group.

It is especially beneficial in environments which will eventually allow end-users to request their own VMs (self-service) and perform Day2 operations.

This is less of an issue for POC or development/trial instances.

# Step Location Notes
1.3 Create a vRA Business Group to own the SovLabs vRA Extensibility Modules Service vRA Console Recommended to create a Business Group named sovlabs specifically for this purpose
Create a vRA Business Group with the name sovlabs. This Business Group is used for ownership of the SovLabs Service. It does not need any reservations configured. This Business Group name is suggested for the sake of simplicity.
If you are an advanced vRA user and you already have a group, please note the desired business group for future purposes.

Steps

1. Login to the vRA tenant https://[vRA-FQDN]/vcac/org/[tenant]

2. Click on Administration tab > Users and Groups > Business Groups

3. Create vRA Business Group

  • Click New
  • Type in the Name field: sovlabs
  • Add an email address for the Send manager emails to: field
  • Click Next
  • In the Members tab, add the vRA Custom Group (e.g. sov_admins) to the Group Manager role field
  • Click Next
  • Infrastructure tab: You may leave the fields blank
  • Click Finish
  • Logout of your vRA tenant instance
Add Business Group - vRA fig. 1 Screenshot
Add Business Group - vRA fig. 2 Screenshot
Add Business Group - vRA fig. 3 Screenshot

Configure Roles and Permissions in vRA

Grant necessary roles and permissions to vRA Custom Group

# Step Location Notes
1.4 Configure Roles and Permissions in vRA vRA Console Grant necessary roles and permissions to custom group (e.g. sov_admins)

Steps

1. Login to the vRA’s base URL: https://[vRA-FQDN]/vcac

  • User: administrator and Domain: vsphere.local

2. Click on the Tenant tab and click on your tenant in the list to edit it

3. Go to the Administrators tab

4. Add the vRA Custom Group into IaaS Administrators

  • Type in the vRA Custom Group name (e.g. sov_admins) into the search field for IaaS Administrators
  • Hit Enter
  • Select the vRA Custom Group name (e.g. sov_admins) to pull it down into the list of IaaS Administrators
  • Click Finish
Add to IaaS Administrators - vRA fig. 1 Screenshot
Add to IaaS Administrators - vRA fig. 2 Screenshot

Go to vRO Prereqs for SovLabs