SDDC Import/Export for VMware Cloud on AWS – Part VII – Role Sync Feature

The VMware Cloud Services portal has great features for sharing groups across organizations. However, there are situations where you may not want to use it. You might have corporate security rules preventing cross-org sharing. Or it may be too complex to manage at a group level. For example, I have a customer that has 12 people granted access to their cloud services, yet only 2 of them have overlapping permissions. This would mean creating 11 groups to manage permissions at a group level. It doesn’t make sense to manage users that way, so they manage on an individual basis. My team’s demo lab is much the same – we have a core set of people that can be managed by a group, but then dozens of one-off permissions.

The role sync feature introduced in v1.5 allows you specify a template user – the source user. It will then clone all of the source user’s roles and assign them to the destination users. It will not delete any existing roles on the destination users – it only adds roles that the source user has.

Here is my source user in the source org – it has 2 VMware Cloud on AWS roles assigned.

Here are the destination users in my destination org – one of them has no roles, and the other one has HCX Administrator.

Here is the command I ran. You can also specify the source and destination emails in config.ini instead of at the command line.

python .\sddc_import_export.py -o rolesync -rss pksource@domain.com -rsd pkdest1@domain.com,pkdest2@domain.com

Here is the script output:

Loaded role sync source user email from command line
Loaded role sync dest user emails from command line
Looking up template user pksource@domain.com
Looking up destination user pkdest1@domain.com
userId for pkdest1@domain.com = vmwareid:ffb94[redacted]
Role sync success: pksource@domain.com->pkdest1@domain.com
Looking up destination user kdest2@domain.com
userId for kdest2@domain.com = vmwareid:9f45c[redacted]
Role sync success: pksource@domain.com->kdest2@domain.com

Here is the first user in the destination org, the one that originally had no roles. It now has only the 2 VMC on AWS roles.

Here is the second user in the destination org, it has retained its existing HCX role and the VMC on AWS roles have been added.

Synchronization is complete!

1 comment

Leave a Reply

Your email address will not be published. Required fields are marked *