Apply Access Controls to a VDC
Upon creation, an organization VDC grants full access to all members of the containing organization. An administrator can use the VMware Cloud Director API access control mechanism to restrict access to specific users.
Organization VDCs implement a subset of the access control features described in Controlling Access to vApps and Catalogs. To restrict access to a VDC, you first apply access controls that deny use of the VDC to all users. After you do that, you can make exceptions to grant access to up to 128 individual users. You apply VDC access controls using a controlAccess request and ControlAccessParams request body. Values of certain elements in the request body have special meanings when applied to a VDC.
- IsSharedToEveryone
- The value of this
element specifies whether the VDC imposes any access controls. If it is set to
false, access is denied to all users except the ones references in the AccessSettings element. If it is set totrue, no access controls apply even if you have defined them in AccessSettings. - AccessLevel
- A value of ReadOnly grants the subject all rights to use the VDC. In this release, ReadOnly is the only legal VDC AccessLevel for a user.
Prerequisites
This operation requires the rights included in the predefined Organization Administrator role or an equivalent set of rights.
Procedure
Example: Apply Access Controls to a VDC
This request updates the
access controls of a VDC to grant access to two external users defined in an
OAuth identity provider.. The request body, a
ControlAccessParams
element, specifies a value of
false for the
IsSharedToEveryone
element, which denies access to all users. It also includes an
AccessSetting element
for each user to whom access is granted. Each of these users is identified by
an
ExternalSubject
element. An
ExternalSubject
identifies a user account defined in a supported OAuth or SAML identity
provider. See
About Federation and Single Sign-On.
In this element, the
SubjectId is the user
name with which the user logs in to the identity provider whose type is
specified in
IdpType. The user must
be a member of the organization that owns the VDC.
PUT https://vcloud.example.com/api/vdc/130/action/controlAccess
Content-Type: application/vnd.vmware.vcloud.controlAccess+xml
...
<?xml version="1.0" encoding="UTF-8"?>
<ControlAccessParams xmlns="http://www.vmware.com/vcloud/v1.5">
<IsSharedToEveryone>false</IsSharedToEveryone>
<AccessSettings>
<AccessSetting>
<ExternalSubject>
<SubjectId>[email protected]</SubjectId>
<IsUser>true</IsUser>
<IdpType>OAUTH</IdpType>
</ExternalSubject>
<AccessLevel>ReadOnly</AccessLevel>
</AccessSetting>
<AccessSetting>
<ExternalSubject>
<SubjectId>[email protected]</SubjectId>
<IsUser>true</IsUser>
<IdpType>OAUTH</IdpType>
</ExternalSubject>
<AccessLevel>ReadOnly</AccessLevel>
</AccessSetting>
</AccessSettings>
</ControlAccessParams>
<ControlAccessParams xmlns="http://www.vmware.com/vcloud/v1.5">
<IsSharedToEveryone>false</IsSharedToEveryone>
<AccessSettings>
<AccessSetting>
<Subject
type="application/vnd.vmware.admin.user+xml"
href="https://vcloud.example.com/api/admin/user/45"/>
<AccessLevel>ReadOnly</AccessLevel>
</AccessSetting>
</AccessSettings>
</ControlAccessParams>
The response, a subset of which appears here, echoes the request.
200 OK
Content-Type: application/vnd.vmware.vcloud.controlAccess+xml
...
<ControlAccessParams
xmlns="http://www.vmware.com/vcloud/v1.5">
<IsSharedToEveryone>false</IsSharedToEveryone>
<AccessSettings>
...
</AccessSettings>
</ControlAccessParams>