VCF Automation: ?

calendar Sep 12, 2025 · 4 min read · VCF Public APIs VCF.PowerCLI  ·
Share on: linkedin copy

In this procedure, we will use the /v1/users API exposed via the VCF.PowerCLI module VMware.Sdk.Vcf.SddcManager to assign/delete roles to users or groups in SDDC Manager based on the identity provider defined within the VCF Single Sign-On domain.

Procedures Covered

SDDC Manager APIs Used

  • POST /v1/tokens
  • GET /v1/users
  • POST /v1/users
  • DELETE /v1/users

Assigning an SDDC Manager Role to a Group

Procedure

  1. Start Windows PowerShell.

  2. Replace the values in the sample code with values for your instance of SDDC Manager and run the commands in the PowerShell console.

1$sddcmFqdn      = "sfo-vcf01.sfo.rainpole.io"
2$sddcmUser      = "[email protected]"
3$sddcmPass      = "VMw@re1!VMw@re1!"
4$roleName       = "ADMIN"
5$accountType    = "GROUP"
6$accountName    = "role-sddcm-admins"
7$authDomain     = "mycloudyworld.io"
  1. Authenticate to the SDDC Manager appliance by running the following command in the PowerShell console:
1Connect-VcfSddcManagerServer -Server $sddcmFqdn -User $sddcmUsername -Password $sddcmPassword
  1. Assign access to the user/group by running the following commands in the PowerShell console:
1$vcfRoleReference = Initialize-VcfRoleReference -Id ((Invoke-VcfGetRoles).Elements | Where-Object {$_.Name -eq $roleName}).Id
2$vcfUser = Initialize-VcfUser -Name $accountName -Domain $authDomain -Type $accountType -Role $vcfRoleReference
3Invoke-VcfAddUsers -User $vcfUser -Server $defaultSddcManagerConnections
  1. Disconnect from SDDC Manager by running the following commands in the PowerShell console:
1Disconnect-VcfSddcManagerServer -Server $sddcmFqdn

Assigning an SDDC Manager Role to a User

Procedure

  1. Start Windows PowerShell.

  2. Replace the values in the sample code with values for your instance of SDDC Manager and run the commands in the PowerShell console.

1$sddcmFqdn      = "sfo-vcf01.sfo.rainpole.io"
2$sddcmUser      = "[email protected]"
3$sddcmPass      = "VMw@re1!VMw@re1!"
4$roleName       = "ADMIN"
5$accountType    = "USER"
6$accountName    = "cloud.admin"
7$authDomain     = "mycloudyworld.io"
  1. Authenticate to the SDDC Manager appliance by running the following command in the PowerShell console:
1Connect-VcfSddcManagerServer -Server $sddcmFqdn -User $sddcmUsername -Password $sddcmPassword
  1. Assign access to the user/group by running the following commands in the PowerShell console:
1$vcfRoleReference = Initialize-VcfRoleReference -Id ((Invoke-VcfGetRoles).Elements | Where-Object {$_.Name -eq $roleName}).Id
2$vcfUser = Initialize-VcfUser -Name $accountName -Domain $authDomain -Type $accountType -Role $vcfRoleReference
3Invoke-VcfAddUsers -User $vcfUser -Server $defaultSddcManagerConnections
  1. Disconnect from SDDC Manager by running the following commands in the PowerShell console:
1Disconnect-VcfSddcManagerServer -Server $sddcmFqdn

Removing a User or Group from an SDDC Manager Role

Procedure

  1. Start Windows PowerShell.

  2. Replace the values in the sample code with values for your instance of SDDC Manager and run the commands in the PowerShell console.

1$sddcmFqdn      = "sfo-vcf01.sfo.rainpole.io"
2$sddcmUser      = "[email protected]"
3$sddcmPass      = "VMw@re1!VMw@re1!"
4$accountName    = "role-sddcm-admins"
  1. Authenticate to the SDDC Manager appliance by running the following command in the PowerShell console:
1Connect-VcfSddcManagerServer -Server $sddcmFqdn -User $sddcmUsername -Password $sddcmPassword
  1. Remove access to the user/group by running the following commands in the PowerShell console:
1Invoke-VcfRemoveUser -Id ((Invoke-VcfGetUsers).Elements | Where-Object {$_.Name -match $accountName}).Id -Server $defaultSddcManagerConnections
  1. Disconnect from SDDC Manager by running the following commands in the PowerShell console:
1Disconnect-VcfSddcManagerServer -Server $sddcmFqdn

Assigning SDDC Manager Roles to Multiple Groups

  1. Start Windows PowerShell.

  2. Replace the values in the sample code with values for your instance of SDDC Manager and run the commands in the PowerShell console.

 1$sddcmFqdn      = "sfo-vcf01.sfo.rainpole.io"
 2$sddcmUser      = "[email protected]"
 3$sddcmPass      = "VMw@re1!VMw@re1!"
 4$accountType    = "GROUP"
 5$authDomain     = "mycloudyworld.io"
 6$accessList     = [PSCustomObject] @{
 7  roleNAME = "ADMIN"
 8  accountName = "role-sddcm-admins"
 9 }, [PSCustomObject] @{
10  roleNAME = "OPERATOR"
11  accountName = "role-sddcm-operators"
12 }, [PSCustomObject] @{
13  roleNAME = "VIEWER"
14  accountName = "role-sddcm-auditors"
15 }
  1. Authenticate to the SDDC Manager appliance by running the following command in the PowerShell console:
1Connect-VcfSddcManagerServer -Server $sddcmFqdn -User $sddcmUsername -Password $sddcmPassword
  1. Assign access to the user/group by running the following commands in the PowerShell console:
1foreach ($access in $accessList) {
2    $vcfRoleReference = Initialize-VcfRoleReference -Id ((Invoke-VcfGetRoles).Elements | Where-Object {$_.Name -eq $access.roleName}).Id
3    $vcfUser = Initialize-VcfUser -Name $access.accountName -Domain $authDomain -Type $accountType -Role $vcfRoleReference
4    Invoke-VcfAddUsers -User $vcfUser -Server $defaultSddcManagerConnections
5}
  1. Disconnect from SDDC Manager by running the following commands in the PowerShell console:
1Disconnect-VcfSddcManagerServer -Server $sddcmFqdn

Removing Multiple Groups from SDDC Manager Roles

  1. Start Windows PowerShell.

  2. Replace the values in the sample code with values for your instance of SDDC Manager and run the commands in the PowerShell console.

1$sddcmFqdn      = "sfo-vcf01.sfo.rainpole.io"
2$sddcmUser      = "[email protected]"
3$sddcmPass      = "VMw@re1!VMw@re1!"
4$accountNames   = "role-sddcm-admins", "role-sddcm-operators", "role-sddcm-auditors"
  1. Authenticate to the SDDC Manager appliance by running the following command in the PowerShell console:
1Connect-VcfSddcManagerServer -Server $sddcmFqdn -User $sddcmUsername -Password $sddcmPassword
  1. Assign access to the user/group by running the following commands in the PowerShell console:
1foreach ($accountName in $accountNames) {
2    Invoke-VcfRemoveUser -Id ((Invoke-VcfGetUsers).Elements | Where-Object {$_.Name -match $accountName}).Id -Server $defaultSddcManagerConnections
3}
  1. Disconnect from SDDC Manager by running the following commands in the PowerShell console:
1Disconnect-VcfSddcManagerServer -Server $sddcmFqdn

Posts in this Series