Least privilege access for Turbonomic to target VMware Horizon

Document created by vivek.nandavanam Expert on Sep 26, 2019Last modified by vivek.nandavanam Expert on Aug 3, 2020
Version 4Show Document
  • View in full screen mode

There are 2 types of Horizon user roles that can be assigned to a service account that is used to add the Horizon target in Turbonomic.


1. Discovery only mode

For this the least privilege access that is required to discovery and monitor the Horizon target is an Administrator (Read only) role that is available as a default role in the Administrator view.


2. Executing actions on the Horizon target

To move a user from one DesktopPool to another, Turbonomic tries either one of the 2 types of entitlement moves:

  1. If the user is in an AD group in the source DesktopPool, Turbo will check to see if there is an AD group present in the destination DesktopPool:
    1. If there is an AD group in the destination DesktopPool, then Turbo will add the user to the AD group in the destination DesktopPool and then remove this user from the AD group in the source DesktopPool.
    2. If there is no AD group in the destination DesktopPool and the user entitlement is through a AD group in the source DesktopPool, Turbo will create a direct entitlement in Horizon on the destination DesktopPool and remove the user from the group membership of the source DesktopPool.
  2. If the user is not in an AD group in the source DesktopPool and is directly entitled to the source DesktopPool through Horizon, Turbo will create a direct entitlement in the destination DesktopPool and remove the entitlement of the user from the destination DesktopPool.

 

2.1 Permissions in AD for executing actions

The Turbo service account used to discover the AD groups and users needs to have permissions to update group memberships on the AD server. Turbo essentially needs to be able to add and remove users from existing AD groups.

 

2.2 Permissions in Horizon

Turbo needs permissions to add and remove user entitlement from the source and destination pools as mentioned above. To do this, the login requires a role that includes the privilege, 'Entitle Desktop and Application pools'. To perform actions in Horizon, the user account for the Turbonomic target must have a role with this privilege, as well as the Administrator (Read only) role.

 

Here are some screenshots for creating a role with the 'Entitle Desktop and Application pools' privilege:


Creating new role with the privilege

Create new role with the privilege to 'Entitle Desktop and Application pools'

 

New role created

New role created

 

Adding permission to add the new role to the desired user

Add the permission for the new role that was created

 

Providing permission to the desired access group - Typically 'Root'

Select the access group - Typically 'Root'

 

New user created with the 2 roles

User with both roles

2 people found this helpful

Attachments

    Outcomes