VMware discovery and import, how to segregate the access of the users?

We have following case… We have ca. 1000 VMs in VMware and we are going to import them in Morpheus. The machines access is based on applications and technical contacts.
What is the best approach to segregate and access to the VMs in Morpheus in order to have users seeing only certain servers and administration of the same?
We already have an integration with service now and existing OUs in the AD where the admins are defined, but the actual problem is how to shrink the Morpheus interface to shows only the servers where the user/users are listed as technical contact or part of the admins group in the AD.
Million thanks in advance!

I think there are two approaches.

One approach could be to leverage multiple cloud integrations of the same VMware cloud, each scoped to a subset of the cloud, maybe on resource pool, maybe cluster. Map those clouds to groups and the groups can be shown to users if enabled on their role permissions.

Another approach could be to utilise tenancy. Discovered VMs in a single cloud can be allocated to tenant such that only users inside that tenant can access them, but could see issues if user needed access to machines assigned to different tenants, so think first approach probably more flexible/robust.

1 Like

Hello @AngelPenev, I hope you are well today!

To add to what @Ollie_Phillips mentioned, if you will be creating Instances from the discovered VMs in Morpheus, then using Morpheus Groups (Infrastructure > Groups) might help.

To utilize them properly, the discovered VMs would need to be made managed (creates an Instance), either installing the agent or not. When making it managed, it will ask which Group it should be assigned. Once they have been made managed, you can edit the Instance and choose a group to assign the instances too:

Only users in that group would have visibility/administration to the Instances.

Here is an example of some Groups that I have in my environment:

In the example above, I have named my Groups based on the roles/departments in the organization. The users’ roles dictate what Groups they have access to:

The users can have multiple Groups assigned via their role(s), so they can see different Groups’ servers. You can map your AD groups (if configured as an IdP) to Roles in Morpheus, which would would have Morpheus Groups associated. Then you can just add/remove users from AD groups to assign access in Morpheus.

Finally, you can also use Groups to help define access to resources in a Morpheus cloud, for example, such as Networks:

Designing the perfect structure can be complex, depending on the organization. I’d recommend working on 1-2 examples first to understand the structure. Each organization is different so your strategy might be different than others too!

A diagram to help understand the Cloud-Group-Role Relationship:


If you need more assistance, you can work with your account manager to use tokens to meet with a Morpheus expert for more tailored help designing your strategy or assisting in the setup.

Hope that helps!