The VMware Cloud Services portal has great features for sharing groups across organizations. However, there are situations where you may not want to use it. You might have corporate security rules preventing cross-org sharing. Or it may be too complex to manage at a group level. For example, I have a customer that has 12 people granted access to their cloud services, yet only 2 of them have overlapping permissions. This would mean creating 11 groups to manage permissions at a group level. It doesn’t make sense to manage users that way, so they manage on an individual basis. My team’s demo lab is much the same – we have a core set of people that can be managed by a group, but then dozens of one-off permissions.
The role sync feature introduced in v1.5 allows you specify a template user – the source user. It will then clone all of the source user’s roles and assign them to the destination users. It will not delete any existing roles on the destination users – it only adds roles that the source user has.
Here is my source user in the source org – it has 2 VMware Cloud on AWS roles assigned.
Here are the destination users in my destination org – one of them has no roles, and the other one has HCX Administrator.
Here is the command I ran. You can also specify the source and destination emails in config.ini instead of at the command line.
python .\sddc_import_export.py -o rolesync -rss email@example.com -rsd firstname.lastname@example.org,email@example.com
Here is the script output:
Loaded role sync source user email from command line Loaded role sync dest user emails from command line Looking up template user firstname.lastname@example.org Looking up destination user email@example.com userId for firstname.lastname@example.org = vmwareid:ffb94[redacted] Role sync success: email@example.com->firstname.lastname@example.org Looking up destination user email@example.com userId for firstname.lastname@example.org = vmwareid:9f45c[redacted] Role sync success: email@example.com->firstname.lastname@example.org
Here is the first user in the destination org, the one that originally had no roles. It now has only the 2 VMC on AWS roles.
Here is the second user in the destination org, it has retained its existing HCX role and the VMC on AWS roles have been added.
Synchronization is complete!