There are 2 types of Horizon user roles that can be assigned to a service account that is used to add the Horizon target in Turbonomic.
1. Discovery only mode
For this the least privilege access that is required to discovery and monitor the Horizon target is an Administrator (Read only) role that is available as a default role in the Administrator view.
2. Executing actions on the Horizon target
To move a user from one DesktopPool to another, Turbonomic tries either one of the 2 types of entitlement moves:
- If the user is in an AD group in the source DesktopPool, Turbo will check to see if there is an AD group present in the destination DesktopPool:
- If there is an AD group in the destination DesktopPool, then Turbo will add the user to the AD group in the destination DesktopPool and then remove this user from the AD group in the source DesktopPool.
- If there is no AD group in the destination DesktopPool and the user entitlement is through a AD group in the source DesktopPool, Turbo will create a direct entitlement in Horizon on the destination DesktopPool and remove the user from the group membership of the source DesktopPool.
- If the user is not in an AD group in the source DesktopPool and is directly entitled to the source DesktopPool through Horizon, Turbo will create a direct entitlement in the destination DesktopPool and remove the entitlement of the user from the destination DesktopPool.
2.1 Permissions in AD for executing actions
The Turbo service account used to discover the AD groups and users needs to have permissions to update group memberships on the AD server. Turbo essentially needs to be able to add and remove users from existing AD groups.
2.2 Permissions in Horizon
Turbo needs permissions to add and remove user entitlement from the source and destination pools as mentioned above. To do this, the login requires a role that includes the privilege, 'Entitle Desktop and Application pools'. To perform actions in Horizon, the user account for the Turbonomic target must have a role with this privilege, as well as the Administrator (Read only) role.
Here are some screenshots for creating a role with the 'Entitle Desktop and Application pools' privilege:
Creating new role with the privilege
New role created
Adding permission to add the new role to the desired user
Providing permission to the desired access group - Typically 'Root'