Skip to main content

 

The Guardrails of Automation

VMware Cloud Foundation (VCF) 9.0 has redefined private cloud automation. With full-stack automation powered by Ansible and orchestrated through vRealize Orchestrator (vRO), and version-controlled deployments driven by GitOps and CI/CD pipelines, teams can build infrastructure faster than ever.
But automation without guardrails is a recipe for risk
Enter RBAC and policy enforcement.
This third and final installment in our automation series focuses on how to secure and govern multi-tenant environments in VCF 9.0 with role-based access control (RBAC) and layered identity management.

VCF’s IAM Foundation

VCF 9.x integrates tightly with enterprise identity providers, enabling organizations to define and assign roles using existing Active Directory (AD) groups. With its persona-based access model, administrators can enforce strict boundaries across compute, storage, and networking resources:
  • Personas: Global Admin, Tenant Admin, Contributor, Viewer
  • Projects: Serve as the tenancy boundary
  • Role Assignments: Map directory groups to personas per project
Security policies such as password complexity, MFA enforcement, and account lockouts are centralized across SDDC Manager, vCenter, and NSX components.

Multi-Layered RBAC Architecture

Modern tenant-ready automation spans multiple platforms. A secure RBAC strategy must align roles and permissions across:

LayerEnforced ByControlled Scope
VCF Projects/DomainsSDDC Manager, vSphereTenant-specific compute/storage/network resources
vRO / Aria AutomationWorkflow-level RBACAccess to workflows, logs, catalog items
Ansible Tower / AAPTower RBAC & credential ACLsJob templates, inventories, per-tenant vaults
Git & CI/CD pipelinesGitHub/GitLab/JenkinsBranch access, merge approvals, promotion controls
Secret ManagementVault, Tower, vROCredential scope and masking across workflows

Role & Access Modeling in Practice

1. VCF Project Setup
  • Create AD groups: TenantA_AppOwners, TenantA_DevOps, Platform_Admins
  • Assign roles per project using VCF persona mappings (e.g., Tenant Admin for AppOwners)
2. vRO Governance
  • Limit workflow visibility and launch permissions based on AD roles
  • Use secure string and credential vaulting in workflows
3. Ansible AAP Scoping
  • Separate job templates and inventories by tenant
  • Assign permissions using Tower RBAC groups and tokens
4. CI/CD Controls
  • Protect main and release branches using PR approvals
  • Embed security scanning and validation gates into pipelines
  • Maintain commit logs and trigger-based workflows tied to Git actions

Concrete Code Examples

Example: Ansible Tower RBAC Role Mapping

# This maps a tenant group to a specific job template and inventory
- name: TenantA Job Template Access
  organization: TenantA
  user: tenantA-appowner@yourdomain.com
  role: execute
  target: job_template:install-nginx

- name: TenantA Inventory Access
  organization: TenantA
  user: tenantA-appowner@yourdomain.com
  role: use
  target: inventory:TenantA-Inventory

Example: vRO Workflow Permission Assignment (CLI)

vro-cli assign-role --workflow "Install Docker" \
  --group "TenantA_AppOwners" --permission "execute"
These concise mappings help ensure tenant users can only execute automation relevant to their project and nothing more.​

Tenant Onboarding Workflow with RBAC Integration

Tenant Onboarding Flow:
  1. Request Submitted — New tenant request initiated via service desk or API
  2. VCF Project Created — Admin defines tenant namespace in SDDC Manager
  3. AD Groups Mapped — Tenant users/groups mapped to VCF personas
  4. vRO Workflows Scoped — Tenant-specific workflows exposed in the catalog
  5. Ansible Tower Configured — Inventory + job templates created, access bound to tenant group
  6. GitOps Repo Created — Tenant’s IaC repo initialized with branch protection
  7. Secrets Vaulted — Per-tenant tokens and credentials stored securely
  8. Self-Service Enabled — Tenant can now launch automation with RBAC enforced across all layers

Auditability & Compliance

Governance means more than locking down access. It also means providing transparency, accountability, and audit trails:
  • Enable logging across vRO, Ansible, and SDDC Manager
  • Track who triggered what, when, and with which variables
  • Incorporate Git metadata (e.g., commit hash, author) into workflows
  • Centralize logging via Aria Operations or a third-party SIEM

Best Practices for RBAC in VCF Automation

  • Apply least privilege principles across all layers
  • Avoid shared credentials—use per-tenant tokens and vault-backed secrets
  • Review AD group memberships quarterly (or automate it!)
  • Document all role mappings, assignments, and justifications

Why It Matters

With Ansible and vRO enabling Day 2 automation, and GitOps providing version-controlled deployments, RBAC and identity governance complete the picture. You can now:
  • Enable secure self-service for tenants
  • Maintain clear access boundaries
  • Reduce risk and drift
  • Support compliance initiatives
This is what tenant-ready automation looks like in VMware Cloud Foundation 9.0: composable, secure, and fully governed.

Comments

Post a Comment

Popular posts from this blog

  Issue with Aria Automation Custom form Multi Value Picker and Data Grid https://knowledge.broadcom.com/external/article?articleNumber=345960 Products VMware Aria Suite Issue/Introduction Symptoms: Getting  error " Expected Type String but was Object ", w hen trying to use Complex Types in MultiValue Picker on the Aria for Automation Custom Form. Environment VMware vRealize Automation 8.x Cause This issue has been identified where the problem appears when a single column Multi Value Picker or Data Grid is used. Resolution This is a known issue. There is a workaround.  Workaround: As a workaround, try adding one empty column in the Multivalue picker without filling the options. So we can add one more column without filling the value which will be hidden(there is a button in the designer page that will hide the column). This way the end user will receive the same view.  
Post a Comment
Read more

57 Tips Every Admin Should Know

Active Directory 1. To quickly list all the groups in your domain, with members, run this command: dsquery group -limit 0 | dsget group -members –expand 2. To find all users whose accounts are set to have a non-expiring password, run this command: dsquery * domainroot -filter “(&(objectcategory=person)(objectclass=user)(lockoutTime=*))” -limit 0 3. To list all the FSMO role holders in your forest, run this command: netdom query fsmo 4. To refresh group policy settings, run this command: gpupdate 5. To check Active Directory replication on a domain controller, run this command: repadmin /replsummary 6. To force replication from a domain controller without having to go through to Active Directory Sites and Services, run this command: repadmin /syncall 7. To see what server authenticated you (or if you logged on with cached credentials) you can run either of these commands: set l echo %logonserver% 8. To see what account you are logged on as, run this command: ...
Post a Comment
Read more