Upon creation, an organization VDC grants full access to all members of the containing organization. An administrator can use the vCloud API access control mechanism to restrict access to specific users.
Organization VDCs implement a subset of the access control features described in Controlling Access to vApps and Catalogs. To restrict access to a VDC, you first apply access controls that deny use of the VDC to all users. After you do that, you can make exceptions to grant access to up to 128 individual users. You apply VDC access controls using a controlAccess request and ControlAccessParams request body. Values of certain elements in the request body have special meanings when applied to a VDC.
This operation requires the rights included in the predefined Organization Administrator role or an equivalent set of rights.
1 | Retrieve the XML representation of the VDC. GET https://vcloud.example.com/api/vdc/130 |
2 | Examine the AdminVdc element to find the controlAccess links that it contains. |
3 | Create a ControlAccessParams element request body that specifies the details of the update. |
4 | PUT the ControlAccessParams element to the action/controlAccess link that you retrieved in Step 2. |
This request updates the access controls of a VDC to grant access to two external users defined in an OAuth identity provider.. The request body, a ControlAccessParams element, specifies a value of false for the IsSharedToEveryone element, which denies access to all users. It also includes an AccessSetting element for each user to whom access is granted. Each of these users is identified by an ExternalSubject element. An ExternalSubject identifies a user account defined in a supported OAuth or SAML identity provider. See About Federation and Single Sign-On. In this element, the SubjectId is the user name with which the user logs in to the identity provider whose type is specified in IdpType. The user must be a member of the organization that owns the VDC.
PUT https://vcloud.example.com/api/vdc/130/action/controlAccess Content-Type: application/vnd.vmware.vcloud.controlAccess+xml ... <?xml version="1.0" encoding="UTF-8"?> <ControlAccessParams xmlns="http://www.vmware.com/vcloud/v1.5"> <IsSharedToEveryone>false</IsSharedToEveryone> <AccessSettings> <AccessSetting> <ExternalSubject> <SubjectId>user1@example.com</SubjectId> <IsUser>true</IsUser> <IdpType>OAUTH</IdpType> </ExternalSubject> <AccessLevel>ReadOnly</AccessLevel> </AccessSetting> <AccessSetting> <ExternalSubject> <SubjectId>user2@example.com</SubjectId> <IsUser>true</IsUser> <IdpType>OAUTH</IdpType> </ExternalSubject> <AccessLevel>ReadOnly</AccessLevel> </AccessSetting> </AccessSettings> </ControlAccessParams>
A user defined in the integrated identity provider is not considered external. To specify users who are defined by the integrated identity provider, use Subject, not ExternalSubject, as shown in this fragment.
<ControlAccessParams xmlns="http://www.vmware.com/vcloud/v1.5"> <IsSharedToEveryone>false</IsSharedToEveryone> <AccessSettings> <AccessSetting> <Subject type="application/vnd.vmware.admin.user+xml" href="https://vcloud.example.com/api/admin/user/45"/> <AccessLevel>ReadOnly</AccessLevel> </AccessSetting> </AccessSettings> </ControlAccessParams>
The response, a subset of which appears here, echoes the request.
200 OK Content-Type: application/vnd.vmware.vcloud.controlAccess+xml ... <ControlAccessParams xmlns="http://www.vmware.com/vcloud/v1.5"> <IsSharedToEveryone>false</IsSharedToEveryone> <AccessSettings> ... </AccessSettings> </ControlAccessParams>