STOP! Your VCF Automation Is a Security Time Bomb (Unless You Do THIS)

Part 3 of our VCF 9.0 Automation Series

The Guardrails of Automation

VMware Cloud Foundation (VCF) 9.0 has redefined private cloud automation. With full-stack automation powered by Ansible and orchestrated through vRealize Orchestrator (vRO), and version-controlled deployments driven by GitOps and CI/CD pipelines, teams can build infrastructure faster than ever.

But automation without guardrails is a recipe for risk

Enter RBAC and policy enforcement.
This third and final installment in our automation series focuses on how to secure and govern multi-tenant environments in VCF 9.0 with role-based access control (RBAC) and layered identity management.

VCF’s IAM Foundation

VCF 9.x integrates tightly with enterprise identity providers, enabling organizations to define and assign roles using existing Active Directory (AD) groups. With its persona-based access model, administrators can enforce strict boundaries across compute, storage, and networking resources:

• Personas: Global Admin, Tenant Admin, Contributor, Viewer
• Projects: Serve as the tenancy boundary
• Role Assignments: Map directory groups to personas per project

Security policies such as password complexity, MFA enforcement, and account lockouts are centralized across SDDC Manager, vCenter, and NSX components.

Multi-Layered RBAC Architecture

Modern tenant-ready automation spans multiple platforms. A secure RBAC strategy must align roles and permissions across:

Layer	Enforced By	Controlled Scope
VCF Projects/Domains	SDDC Manager, vSphere	Tenant-specific compute/storage/network resources
vRO / Aria Automation	Workflow-level RBAC	Access to workflows, logs, catalog items
Ansible Tower / AAP	Tower RBAC & credential ACLs	Job templates, inventories, per-tenant vaults
Git & CI/CD pipelines	GitHub/GitLab/Jenkins	Branch access, merge approvals, promotion controls
Secret Management	Vault, Tower, vRO	Credential scope and masking across workflows

Role & Access Modeling in Practice

​1. VCF Project Setup

• Create AD groups: TenantA_AppOwners, TenantA_DevOps, Platform_Admins
• Assign roles per project using VCF persona mappings (e.g., Tenant Admin for AppOwners)

2. vRO Governance

• Limit workflow visibility and launch permissions based on AD roles
• Use secure string and credential vaulting in workflows

3. Ansible AAP Scoping

• Separate job templates and inventories by tenant
• Assign permissions using Tower RBAC groups and tokens

4. CI/CD Controls

• Protect main and release branches using PR approvals
• Embed security scanning and validation gates into pipelines
• Maintain commit logs and trigger-based workflows tied to Git actions

Concrete Code Examples

Example: Ansible Tower RBAC Role Mapping

# This maps a tenant group to a specific job template and inventory
- name: TenantA Job Template Access
  organization: TenantA
  user: [email protected]
  role: execute
  target: job_template:install-nginx

- name: TenantA Inventory Access
  organization: TenantA
  user: [email protected]
  role: use
  target: inventory:TenantA-Inventory

Example: vRO Workflow Permission Assignment (CLI)

vro-cli assign-role --workflow "Install Docker" \
  --group "TenantA_AppOwners" --permission "execute"

These concise mappings help ensure tenant users can only execute automation relevant to their project and nothing more.​

Tenant Onboarding Workflow with RBAC Integration

​Tenant Onboarding Flow:

1. Request Submitted — New tenant request initiated via service desk or API
2. VCF Project Created — Admin defines tenant namespace in SDDC Manager
3. AD Groups Mapped — Tenant users/groups mapped to VCF personas
4. vRO Workflows Scoped — Tenant-specific workflows exposed in the catalog
5. Ansible Tower Configured — Inventory + job templates created, access bound to tenant group
6. GitOps Repo Created — Tenant’s IaC repo initialized with branch protection
7. Secrets Vaulted — Per-tenant tokens and credentials stored securely
8. Self-Service Enabled — Tenant can now launch automation with RBAC enforced across all layers

Auditability & Compliance

​Governance means more than locking down access. It also means providing transparency, accountability, and audit trails:

• Enable logging across vRO, Ansible, and SDDC Manager
• Track who triggered what, when, and with which variables
• Incorporate Git metadata (e.g., commit hash, author) into workflows
• Centralize logging via Aria Operations or a third-party SIEM

Best Practices for RBAC in VCF Automation

• Apply least privilege principles across all layers
• Avoid shared credentials—use per-tenant tokens and vault-backed secrets
• Review AD group memberships quarterly (or automate it!)
• Document all role mappings, assignments, and justifications

Why It Matters

With Ansible and vRO enabling Day 2 automation, and GitOps providing version-controlled deployments, RBAC and identity governance complete the picture. You can now:

• Enable secure self-service for tenants
• Maintain clear access boundaries
• Reduce risk and drift
• Support compliance initiatives

This is what tenant-ready automation looks like in VMware Cloud Foundation 9.0: composable, secure, and fully governed.

What’s Next?

We’ll be following up this series with a special feature on Private AI Enablement in VCF 9.0, exploring how these same principles apply to GPU-based infrastructure, model deployment pipelines, and AI agent governance at scale.