Both Enterprise and Custom CSP Groups are passed through to the platform when Launching the Tanzu CloudHealth Service for both Federated CSP tenants, and CSP tenants using manual credentials (Email/Password).

We will run through both processes below, but note that Federated CSP tenants can still setup Custom CSP groups in addition to those groups passed in via CSP.

Note: Users assigned the Service Role "Administrator" for the Tanzu CloudHealth platform will be mapped independently of the below steps. This process is only to map Groups with the "Role Managed By CloudHealth" Service Role selected.

Enterprise Group Mapping to Tanzu CloudHealth platform - 

Note: Configuring Enterprise Groups relies on the Group attribute being passed from the IDP, if the Group attribute wasn't configured when configuring SSO, you will need to manually populate groups as per the "Mapping Custom groups to the Tanzu CloudHealth Platform" section below and perform those steps.

Note: Enterprise Groups will only be available when using the Dynamic Connector option if a user that belongs to that group has signed into CSP at least once as this provisions the group within CSP under Enterprise Federation. Please ensure that a user that belongs to the group you wish to map has attempted to sign into CSP at least once before proceeding with the following steps.

1. Sign into the CSP Console via - https://console.tanzu.broadcom.com/ and authenticate as a User with Organization Owner role and Enterprise Administrator Role. These steps can only be performed by a User that has both Organization Owner within the CSP Organization tied to Tanzu CloudHealth, and Enterprise Administrator access within the Management Organization

2. Determine if the CSP Organization has been mapped to the Management Organization. By switching to the CSP Organization linked to Tanzu CloudHealth. Select Organization -> Enterprise Management.



Within the screen displayed then select the Management Organization tab highlighted below - 

You will then find either of the two screens below -

• CSP Org not mapped to Management Organization - 
  
  
• CSP Org mapped to Management Organization - 
  

If the Organization shows as mapped (CSP Org mapped to Management Organization screenshot) please proceed to Step 8 to continue mapping the groups to the CSP Organization for use within Tanzu CloudHealth.

If the CSP Organization isn't yet mapped to the Management Organization, please proceed to Step 3.

3. Navigate to Organization -> Details for the Organization you wish to link to the Management Group - 

4. Select the Link Identity Provider option within this page

5. Navigate to the Management Organization shown via the Shield Icon located next to the Organization from there navigate to Organization -> Management -



Select Invite Organization within the page displayed



Select the Organization you wish to link via the "select from linked organizations" option - you will find the Organization you linked to the Identity Provider displayed.

6. Navigate back to the Organization you wish to link to the management group and select Organization -> Enterprise Management, and switch to the Management Organization Tab - 



This will display the following window please select the "Attach" option. 

Once completed the following screen will be displayed - 


Additionally you will find within the Change Organization selector that the CSP Org is now nested underneath the Management Organization

You are now ready to proceed with mapping the Federated Groups under the Management Organization to the CSP Organization - 

7. Ensure you have navigated back to the CSP Organization associated with Tanzu CloudHealth and select the Identity & Access Management -> Groups option marked below - 



This will open the following page, within this page select the "Add Group" option - 

8. Within the page displayed select the "Select Groups from your source domain" option - 



This will then open the following screen allow you to search for available Enterprise Groups enter the name of the Enterprise Group within the search tab and wait for the values to populate - 



If you aren't aware of the name of the groups that have been pulled in from the IDP you can pull a list from the Enterprise Management Organization (denoted by the shield icon) - Enterprise Federation and then selecting the following section - 


This will display a list of groups for the users that have successfully authenticated into CSP via SSO.

The Group Name listed here will need to be entered in the search window when selecting the "Select groups from your source domain". 



Note:  Groups from Azure AD may appear with the group name or Object ID of the group depending on your Entra ID Plan - https://www.microsoft.com/en-au/security/business/microsoft-entra-pricing the example shown above displays the Object ID of the Azure Group.

9. Once the group has been selected it will appear in the box below the search pane, please then ensure that the following Service and Service Role are defined for the group - 



Finally hit Add to finalize adding the group to the CSP Organization. Once the group has been added you will be redirected to the below screen, you will find the group listed alongside the Service Role "Role Managed By CloudHealth example below - 

Now that the group is mapped, we can proceed with configuring the Usergroup within Tanzu CloudHealth see the following step.

10. Within the Tanzu CloudHealth platform as an Administrator navigate to Setup -> Admin -> Usergroup.

Select the Usergroup you wish to assign the users to and navigate to the Details tab and select the Edit option - 

This will open the following page that allows you to define a SSO Key (Attribute) and SSO Value. The SSO Key that will need to be used is "group_names" and the value will be the name of the group as it appear in CSP within the Identity & Access Management -> Groups tab in the name field including the domain.



e.g. If I had group [email protected] in CSP and I wanted to assign users to Usergroup "Demo Group" I would need to issue the following in the Usergroup SSO Mapping section



Repeat this same process for all Usergroups, and groups you wish to map from CSP to Tanzu CloudHealth. You can map more than one group from CSP to a Usergroup within Tanzu CloudHealth.

Note: The service role "Role Managed by CloudHealth" will still map users to the "No Access" Usergroup, to switch to using Cloud Services Portal groups solely to map a user please navigate to Setup -> Admin -> Usergroups, and select the "No Access" Usergroup. 

Within the Details tab, select the Edit option in the top right, within the page displayed select the following option to remove the mapping for "Role Managed by CloudHealth" from the No Access Usergroup - 



Users on their next sign in will be removed from the No Access group and will only be mapped to the Usergroups designated by their Cloud Services Portal groups. 

If you need to re-add the mapping, navigate back to Setup -> Admin -> Usergroups, select the "No Access" Usergroup. Select the Edit option again, and specify a SSO Key: roles, with SSO value set to ariacost:managed.

Mapping Custom groups to the Tanzu CloudHealth Platform

Note: To Create Groups and manage membership for existing groups the User will require the Organization Owner Role for the CSP Organization being managed. 

In addition to groups from your Corporate domain Enterprise Groups, Custom Groups can be mapped through to the Tanzu CloudHealth platform.

These groups exist within CSP Org they are created within but can be shared to other CSP organizations, documented here - https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/tanzu-platform-cloud-services/saas/tnz-cloud-services/work-with-groups.html 

These manually created groups will be differentiated from Enterprise Groups by the value contained within the type column under Identity & Access Management -> Groups.

Groups from the Management Organization will display "Enterprise alongside the domain they come from" while Custom Groups will display "Custom", Additionally Shared Groups from other CSP Organizations will display "Shared" and can be mapped using the below process also. 

Users must be manually added to the groups before mapping is performed within the Tanzu CloudHealth platform.

Documentation on how to create a new Custom group(s) and add Users to them can be found here - https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/tanzu-platform-cloud-services/saas/tnz-cloud-services/create-group.html 

Ensure that the following Service Role - Role Managed By CloudHealth is selected when creating the Group to allow access to the Tanzu CloudHealth Service. Set the Service Role for the group to "Role Managed By CloudHealth".

Once the group has been created, and members have been added you can proceed with mapping the group to the Tanzu CloudHealth Service - 

1. Within the Tanzu CloudHealth platform as an Administrator navigate to Setup -> Admin -> Usergroup.

2. Select the Usergroup you wish to assign the users to and navigate to the Details tab and select the Edit option - 

This will open the following page that allows you to define a SSO Key (Attribute) and SSO Value. The SSO Key that will need to be used is "group_names" and the value will be the name of the group as it appear in CSP within the Identity & Access Management -> Groups tab



Repeat this same process for all Usergroups, and groups you wish to map from CSP to Tanzu CloudHealth. You can map more than one group from CSP to a Usergroup within Tanzu CloudHealth.

Note: The service role "Role Managed by CloudHealth" will still map users to the "No Access" Usergroup, to switch to using Cloud Services Portal groups solely to map a user please navigate to Setup -> Admin -> Usergroups, and select the "No Access" Usergroup. 

Within the Details tab, select the Edit option in the top right, within the page displayed select the following option to remove the mapping for "Role Managed by CloudHealth" from the No Access Usergroup - 



Users on their next sign in will be removed from the No Access group and will only be mapped to the Usergroups designated by their Cloud Services Portal groups. 

If you need to re-add the mapping, navigate back to Setup -> Admin -> Usergroups, select the "No Access" Usergroup. Select the Edit option again, and specify a SSO Key: roles, with SSO value set to ariacost:managed.