VCP7-CMA Section 2 Objective 2.4 Manage User and Group Role Assignments

Explain the roles available to vRealize Automation

The roles available in vRealize Automation have been detailed in my blog post on Section 2 Objection 2.1

I would reiterate that learning the differences between these roles is an essential part to passing the VCP7-CMA exam

Assign roles to individual users for a given design & Assign roles to directory groups for a given design

Under the administrator tab > Users & Groups > Directory Users & Groups you can search for a directory user or group that has sync’d with vRealize Automation (as detailed in Objective 2.2) and assign roles to these users or groups .

Search for the user or group you wish to assign roles to.


Click on the user or group and assign the roles you wish to assign to the user or group



Create vRealize Automation custom groups and assign roles

To create a custom group under Administration Tab > Users & Groups > Custom Groups > New. Select the roles you wish to assign to the Custom Group.

The “Authorities Granted by Selected Roles” will show you the overall privileges of the Custom Group


When creating a LAB and to get yourself familiar with vRA you may want to create a god role and assign all Roles to the “god” custom group. Whether this is beneficial for the exam is debatable as learning the privileges assigned to each role is important for the exam.

You can then add directory users/groups or local tenant users to the Custom Group




VCP7-CMA Section 2 Objective 2.3 Create and Manage Business Groups

Configure business groups for a given design


To understand the requirement of a business group you need to understand a little about the vRA fabric. In vRA, infrastructure resources you can perform actions on are called Endpoints (see Objective 3.4) for instance a vCenter is an endpoint because we can provision VMs to it etc. (other endpoints could be AWS, Hyper-V or things like NSX as we can create vxlan portgroups or vRO as we can start workflows)

If you have Multiple vCenter endpoints you may want to group these together in a Fabric Group because the same administrator is likely responsible for all vCenters, a fabric administrator can then be assigned to this fabric group. As you may have a different administrator (or maybe developers) who are responsible for vRO, you may want to group these vRO endpoints in a different Fabric Group so you can assign a different fabric administrator

Once a fabric group is created that contains endpoints (defined as compute resources) a fabric administrator will grant access to these compute resources\endpoints by defining a reservation. The reservation will be specific to a business group and define the relationship between the business group and the compute resource\endpoint within the fabric group. This allows business groups to consume the compute resource\endpoint and allows the Fabric administrator to put a restriction on the amount of endpoint resource that can be consumed by that business group


Catalogue items are also scooped to a business group through entitlements.

The “My Goals”  Wizard lists tasks which are useful to complete before creating a  business group. These can be found under My Goals>Tenant Configuration




We have already created a Directory service that allows us to assign directory users to a business group (in the case of my lab Active Directory LDAP) in Objective 2.2 

We will detail the creation of Custom Groups in Objective 2.4

We will also configure Users & Groups in Objective 2.4

Configuring Branding is not specifically called out in any Objective, and isn’t a requirement for a business group, I will come back and visit this in Objective 2.1 managing tenants.

Adding and configuring a notification provider (specifying an email server) is also not covered in any objective within the exam blueprint but is covered below as business group managers will receive emails from the business group



Adding Notification Providers is done by the Tenant Admin role

To Configure Notification providers click on the link in My Goals>Tenant Configuration>Configure Notification Providers or browse to Administration > Notifications > Email Servers

You will need to set an in going and outgoing email server, my vRA appliance has access to the internet and since I dont have an exchange server i’m using my ISP settings to configure the provider!


Business Groups are created by the Tenant administrator under Administration > Users and Groups > Business Groups.



Custom Properties are covered in Objective 1.1 and can be assigned to a business group.

There’s a good blog here on Active Directory Policies, no need to re-write the wheel!
Add users and groups to appropriate support roles for a given design


A business group must have at least one business group manager, who monitors the resource use for the group and can be the approver for catalog requests.

Lets assume a development team has their own business group, a developer, who will be a business group user, has an entitlement to a catalogue item that allows them to provision a virtual machine to any of the endpoints that the business group (development team) has a reservation too.

The business group manager, who is likely to be the development team manager or team leader, can be set as  an approver of that catalog item request and the virtual machine wont be provisioned until the development team manager has approved the developers request.

It’s good to have this ability to approve requests as only the business group manager has access to monitor resource usage within their business group.

The business group manager will also create and manage entitlements to catalogue items for their business group.

The details of all vRA roles are found on my Objective 2.1 blog

Determine and select the appropriate machine prefix for the business group

Creating machine prefixes is described in Section 5 objective 5.2

Once a machine prefix has been created, you can set the default Business group machine prefix on the infrastructure tab of the Business group. When a virtual machine is provisioned by a user within the business group the default pre-fix will be used to form the VM name based on these settings. This does not stop a different pre-fix from being assigned within a catalogue blueprint & the default business group machine pre-fix can also be changed at any time.

If the pre-fix is changed, it will only affect new Virtual Machines being provisioned and will not change the name of virtual machines that have already been provisioned!


The active directory container option is for WIM provisioning only, if you don’t intend to use WIM Provisioning to build Windows Servers then stick with the Active Directory Policies on the general tab to define the destination OU of provisioned VMs, however for the exam it’s good to know the difference between the two options.

The AD Container option expects an active directory DN name in the form of



VCP7-CMA Section 2 Objective 2.2 Create and Manage Directories

Create and manage LDAP directory for Active Directory in vRealize Automation

Identify Stores can be created and managed by the Tenant Administrator within their specified tenant. They can do this under Administration>Directories Management>Directories


To add an LDAP directory for Active Directory select the “Add Directory” button and specify “Add Active Directory over LDAP/IWA”

To configure Active Directory over LDAP, select Active Directory over LDAP and complete the required fields.


  • Directory name – The name of the AD Domain you want to sync with
  • Sync Connector – This will be the device that syncs users from Active Directory, when designing vRA solutions ensure the Sync Connector is as close to a DC as possible
  • Directory Search Attribute – The account attribute that contains the Username. In scenarios where a single tenant has multiple directories that may contain users with the same sAMAccountName you may want to specify the userPrincipalName here.
  • Server Location – if vRA cant resolve the AD Domain then you can specify a domain controller by IP by unticking this box
  • Specify a user account used to BIND to Active Directory

Test the connection to Active Directory to ensure it’s working correctly

Click next and select which domains you want to add, you may see multiple domains depending on your AD forest and associated trusts


Select how you want to map the user attributes from AD into vRAs Identity Manager. In the screenshot below I have included a screenshot of my Active Directory user information.

By default you will need to provide two values for the vRA manager attribute and the vRA displayName attribute. In vRA you can choose how you want a users name to be displayed, i’m choosing to use the AD attribute or the same name, displayName. You may want the vRA displayName attribute to be the sAMAccountName or something completely different. I’m using the AD title attribute for the vRA manager attribute


Select which groups you want to sync with vRA, depending on how big your AD structure is depends on how you want to search for groups, I specified the base DN of my whole lab as I only have a few groups in AD, you may want to be more specific with your searches


Hit select and Specify the AD groups you want to sync



Hit next and specify any users not in a group who you want to have access, you can also add a filter to exclude any users by an account attribute, here I’m stopping anyone with the attribute division set to marketing from being added to vRA. Those monkeys are too busy eating unicorn sandwiches to know what they’re doing…


Perform the initial sync of the directory service and keep in mind that the default sync period is a week, in real world environments you’d want to change that to suit your environment. You can do that now by clicking the edit button


Once the directory service has been added, you can force a sync by selecting the directory from Administration>Directories Management>Directories and then hitting the “Sync now” option



If you didnt hit the edit button during the creation of the directory service, you can change these settings retrospectively by hitting the “Sync Settings” button as well as checking which domains are syncing, what the AD mapped attributes are mapped to in vRA Identify Manager, also the groups and users who have been sync



Create and manage Windows Integrated Authentication Directory in vRealize Automation

Identify Stores can be created and managed by the Tenant Administrator within their specified tenant. They can do this under Administration>Directories Management>Directories


To Create and manage Windows Integrated Authentication Directory, select the “Add Directory” button and specify “Add Active Directory over LDAP/IWA”

Select Active Directory (Integrated Windows Authentication)

Completing the configuration of this option will add the vRA appliance to the domain


Firstly I got the following error


So i changed my configuration to suit


I subsequently got a new error


This is because you must setup Active Directory in the default vsphere.local tenant before it can be added to other tenants.

In order to do this, you will need to log into the default tenant.

The default tenant can be accessed – https://myvraserver.mydomain.local/vcac/

If you’ve not setup your default tenant yet and dove straight into configuring a new tenant, then you may need to create some local users within your default tenant and add the new local user as a tenant admin of the default tenant.

Details of how to do that can be found in my Section 2 Object 2.1 blog

Add the Active Directory (Integrated Windows Authentication) identity source in the default tenant, with a tenant admin of the default  tenant. Follow the wizard through, after the initial configuration page, the process of stepping through Windows Integrated Authentication Directory setup is the same as Active Directory over LDAP setup.

Once this has been completed in the default tenant, you can log on to subsequent tenants and add that domain as an Active Directory (Integrated Windows Authentication) identity source in the same manner.

When vRA is configured with Active Directory (Integrated Windows Authentication) vRA will use it’s computer account for authentication.

Determine and configure appropriate user and directory binding details

Ensure you have properly thought through the Active Directory bind details, ensuring you use a service account to bind to active directory and that your search DNs are not too broad.

As with every configuration, only what is required should be configured.

Evaluate directory synchronization health and troubleshoot issues

Once you’ve added your directory you can check for issues by selecting the domain from under Administration>Directories Management>Directories

From here you can then check the Sync Log to ensure that syncing has\is working OK


You can set safeguards that will prevent the removing or adding of too many users\groups during a sync operation if required


vRA uses the Identity Manager from horizon. If you look at the vRA appliance you will be able to see the following directory


if we list the contents of that folder we can see a connector.log file


if we grep the log file for our LDAP configured Domain Controller we can see entries relating to our LDAP configuration, see this file can also be used for troubleshooting




VCP7-CMA Section 2 Objective 2.1 Create and Manage Tenants

  • Create a new tenant for a given design

VMware Docs link

Out of the box a default tenant named vsphere.local is created, which is accessed via the https://myvraserver.mydomain.local/vcac/ url. You log into the default tenant using the System Administrator role with the username administrator and the password set for the system administrator account during the installation of vRA.


Once inside the default tenant you will see the default tenant listed under the tenant section, any  new tenants created will also be displayed here.


All new tenants are created inside the default tenant by the system administrator


To create a tenant select new and fill in the details required


click submit and next to proceed to creating a Local User or Users for the new tenant, these local users are specific to the new tenant, you don’t have to create local users at this stage to complete creating the tenant however you wont be able to log into the new tenant if you dont!

If you want to use directory users, you must create the local user(s), assign them/it as tenant and iaas admins, log into the new tenant with the new local user, setup the identity source, log back into the default tenant with the system administrator account, edit the new tenant, add the domain users or groups as the tenant and iaas admins!

Then you will be able to log into the new tenant as a tenant/iaas admin to start the configuration of the new tenant.


Assign the roles of Tenant Administrator and IaaS Administrators if required, you don’t have to assign these roles at this time to finish creating the new tenant, however you wont be able to log into the tenant if you dont assign these roles to a local user. Once you have configured an identify source we can come back into the default tenant and add directory users and\or remove the local user(s) from these groups.


It’s important to understand that privileges of the IaaS administrator role are NOT tenant specific. The IaaS administrator role is System Wide, so even though our new local user “danlab” is specific to the danlab tenant, this user has system wide IaaS privileges.

This is because the Infrastructure Fabric is available to all tenants. Depending on how you want your architecture configured you may want an IaaS administrator per tenant to configure endpoints, and have fabric groups per tenant as shown below


However I would say in the majority of vRA architectures it’s more common to see the below with System Administrator, IaaS Administrator and Fabric roles assigned to members of IT within the default tenant with Tenants then having access to that infrastructure via Fabric Groups

single iaas

  • Create, add, and manage local users

Creating local users for a tenant can be done inside the default tenant by the system administrator as described above.

  • Configure administrative access and describe privilege level differences between roles

There are many Roles within vRA, each role having different privileges. 2 roles are system wide  (System Administrator role and the IaaS Administrator role) and having the following provileges

system wide

The remaining roles are Tenant Specific




tenant 4

I would say learning the differences in these roles is very important for the exam, little more than hands on experience will help you with this. For that that are creating a vRA lab to study, you may want to assign yourself “god” permissions. The only way to do that is to create a custom group

Inside the new Tenant, select Administration>Custom Groups> Create a new custom group, give it a Name, Assign ALL Roles to the group, then on the members tab select your local user (or directory account if you’ve already added a directory service)

Once the account is created, log out of vRA and back in for the permission changes to take affect.


  • Determine the unique URL used to access the tenant

The unique URL is set during the creation of the tenant. When creating my tenant i specified the URL danlab as can be seen below.


So my tenant will be access via


Note that this is different from the default tenant which is accessed via


Assume we created a third tenant named test1 with a URL of test1 and a forth tenant named test2 with a url of test2bob then access would be as follows

default tenant – https://myvraserver.mydomain.local/vcac/

danlab tenant – https://myvraserver.mydomain.local/vcac/org/danlab

test1 tenant – https://myvraserver.mydomain.local/vcac/org/test1

test2 tenant – https://myvraserver.mydomain.local/vcac/org/test2bob