Update Vcf Sso Role Mappings

Update Vcf Sso Role Mappings
Update VCF SSO Role Mappings

Updates role mappings for VCF SSO (vIDB) user groups. Configures which VCF SSO groups have access to HCX and their privilege levels in VCF-managed environments.

Validations:

  • Role name cannot be empty
  • User group names cannot be null or empty
  • At least one role mapping recommended (but empty array allowed)

VCF SSO vs vSphere SSO:

  • vSphere SSO: Traditional AD/LDAP groups (PUT /api/admin/global/config/roleMappings)
  • VCF SSO (vIDB): VCF-managed identity provider with OAuth (this endpoint)
  • VCF SSO groups should be fetched via SCIM API (searchGroups) before assignment

HCX Roles:

  • System Administrator: (legacy) Allows users to create and modify network profiles, compute profiles and service meshes. Also allows users to perform migrations and network extensions.
  • Enterprise Administrator: (legacy) Allows users to create and modify compute profiles and service meshes. Also allows users to perform migrations and network extensions.
  • Appliance Administrator: (legacy) Allows users to view and modify VCF Operations HCX Management Appliance configurations.
  • Migration Admin: Allows users to create and modify network profiles, compute profiles and service meshes. Also allows users to perform migrations and network extensions.
  • Migration User: Allows users to create and modify compute profiles and service meshes. Also allows users to perform migrations and network extensions.
  • Migration Appliance Admin: Allows users to view and modify VCF Operations HCX Management Appliance configurations.

Prerequisites:

  • vIDB (VCF SSO) must be configured (/api/admin/global/config/vidb)
  • Groups should exist in VCF SSO (verify via searchGroups)
  • OAuth client must have appropriate permissions

Important Notes:

  • Changes take effect immediately for new VCF SSO logins
  • Existing user sessions not affected (re-login required)
  • Replaces existing VCF SSO mappings (not additive)
  • Empty array clears all VCF SSO role mappings
Request
URI
PUT
https://{server}:9443/api/admin/global/config/roleMappings/idp/groups
COPY
Request Body
[
    {
        "role": "Migration Admin",
        "userGroups": [
            "vcf.local\\VCF-Admins"
        ]
    }
]
array of VcfSsoRoleMapping
Optional
Authentication
This operation uses the following authentication methods.
Responses
200

VCF SSO role mappings updated successfully

Returns RoleMappingResponse of type(s) application/json 
{
    "isSuccess": true,
    "message": "Resource created/modified",
    "httpStatusCode": 200
}
boolean
isSuccess
Required

Indicates if the operation was successful

string
message
Required

Human-readable response message

integer
httpStatusCode
Required

HTTP status code


500

Internal server error - Failed to update VCF SSO role mappings

Returns ErrorResponse of type(s) application/json 
{
    "isSuccess": false,
    "message": "Request schema validation failed",
    "httpStatusCode": 400
}
boolean
isSuccess
Required

Indicates if the operation was successful

string
message
Required

Human-readable error message

integer
httpStatusCode
Required

HTTP status code


Code Samples
COPY
                    curl -X PUT -H 'Authorization: <value>' -H 'Content-Type: application/json' -d '[{}]' https://{api_host}/api/admin/global/config/roleMappings/idp/groups
On This Page
Role Mappings Operations
GET
Get Vsphere Role Mappings
PUT
Update Vsphere Role Mappings
GET
Search Vcf Sso Groups
GET
Get Vcf Sso Role Mappings
PUT
Update Vcf Sso Role Mappings