3.1 Managing Role-Based Access

This section explains how to set up and use role-based access in Forge.

For more information see Section 2.1.1, Role-Based Access.

3.1.1 Creating Host Appliance Users

Before users can be added to security groups in Forge, you need to add them to the Host Appliance.

To add a user to the Host Appliance:

  1. Log in to the Host Appliance either by using Remote Desktop or through the VMware Infrastructure Client (VIC).

  2. Right-click on the My Computer icon and click Manage. If the My Computer icon is not displayed on the Host Appliance desktop, click Start > Run, type compmgmt.msc and hit Enter.

  3. Expand Local Users and Groups in the left pane. You may need to expand System Tools first if you don’t see Local Users and Groups.

  4. Select Users and click Action > New User.

  5. Enter desired informaton in the New User dialog and click Create.

  6. Double-click the user name you just created.

  7. Click the Member Of tab and click Add.

  8. Type in the name of the group exactly to which you want to add the user and hit Enter.

    There are three available group names: Workload Protection Administrators, Workload Protection Operators and Workload Protection Power Users. For more information on the rights for each group, see Table 2-1.

  9. Click OK.

3.1.2 Creating Security Groups

Only Administrators can access the Forge Settings page and manage security groups. If no users or groups exist yet, then this is the default Forge Administrator.

To create a security group in Forge:

  1. Log in to Forge as an administrator.

  2. Click the Settings tab and then click Permissions.

    The Security Groups page is displayed. Notice there is a default, undeletable security group called All Workloads. This group is used to set up appliance-wide permissions for users.

  3. Click Create Security Group.

  4. Change the supplied group name if desired. Notice that all administrators are automatically added to the group.

  5. To add non-administrator users (power users or operators), click Add Users.

    For information on creating users, see Creating Host Appliance Users.

  6. Select the Grant check box beside the users you want added to the new security group.

    NOTE:Non-administrator users who are not granted access here are the only users who won’t have access to the workloads in this security group.

  7. Click OK.

  8. To add workloads to the new group, click Add Workloads.

  9. Select the Grant check box beside the workloads you want added to the new security group.

    Notice that workloads already assigned to a security group do not have a check box to select beside them and show the name of the security group they are assigned to in the Security Group column. Workloads that can be selected display a check box and say Unassigned under the Security Group column.

    NOTE:Workloads can belong to only one Security Group at a time.

  10. Click OK.

  11. Click Create to create the security group with your configurations.

3.1.3 Editing Security Groups

After a Security Group is set up, you can go in and change which users or workloads are a part of that Security Group or change the Security Group name.

To edit a Security Group:

  1. Log in to Forge as an administrator.

  2. Click the Settings tab and then click Permissions.

    The Security Groups page is displayed.

  3. Click the name of the Security Group you want to edit.

  4. Make any changes desired and click Save.

3.1.4 Deleting Security Groups

Deleting Security Groups has no affect on the users and workloads in those Security Groups, except to change user access.

To delete a Security Group:

  1. Log in to Forge as an administrator.

  2. Click the Settings tab and then click Permissions.

    The Security Groups page is displayed.

  3. Click Delete beside the Security Group you want to delete. Notice that the All Workloads default Security Group has no Delete hyperlink beside it and cannot be deleted.

  4. Click OK.

3.1.5 Removing Users from Security Groups

If you delete a user from the Application Host, you still need to remove the user from the Security Group, though when you view the Security Group after deleting the user from the Application Host, they are displayed with a line through their name.

The exception is for Administrators, either Local Administrators or members of the Workload Protection Administrators group, in which case deleting them from the Application Host also removes them from the Security Group. In fact, this is the only way to remove any type of administrator from a Security Group.

To remove a user from a Security Group:

  1. Log in to Forge as an administrator.

  2. Click the Settings tab and then click Permissions.

    The Security Groups page is displayed.

  3. Click the name of the Security Group from which you want to remove a user.

  4. The Remove hyperlink is displayed next to any users capable of being removed. Click Remove to remove that user.

  5. Click Save.

3.1.6 Removing Workloads from Security Groups

If you remove a workload from Forge, it is also removed from any Security Group to which it belongs. No further steps are required. If you want to remove a workload from a Security Group but keep the workload in Forge and protected, you can do so on the Security Groups page.

To remove a workload from a Security Group:

  1. Log in to Forge as an administrator.

  2. Click the Settings tab and then click Permissions.

    The Security Groups page is displayed.

  3. Click the name of the Security Group from which you want to remove a workload.

  4. Click Remove next to any workload you want to remove.

  5. Click Save.