In a default vCloud Director deployment Organization Administrators can manage users for their own organization. This however means that they can import users from LDAP and also create local users. This might not be something you want to allow. Organization Administrators that create local users might forget to delete local users when they leave the organization and that might allow for unauthorized access to the Organization's cloud. Therefor it's better to use LDAP because when an employee leaves the organization it is likely that the account will be disabled in the directory (AD or openLDAP). And it is also easier to keep track of who is using the cloud if you can manage it from a directory.
Unfortunately there is no feature in vCloud Director that will keep the LDAP-management in place and only remove the local user management for an Organization Administrator. What you can do however is remove the user-management completely and by using Active Directory or openLDAP move the vCloud user management into directory-groups completely. That way the Organization Administrator can manage access to the cloud by adding users to a group and removing them when no longer needed. And when users are removed or disabled from the directory it also stops their access to the cloud.
Move user-management to Active Directory or openLDAP
In this article we will look at disabling user-management and only use LDAP-groups to manage users for vCloud Director. We start with this image below where we see user Rob who is an Organization Administrator for Organization1 and as you can see he has access to the Administration-tab to manage users with the ability to add local users and import them from LDAP. User Rob itself is also an LDAP-user. How to configure LDAP for the system and for organizations is explained in the vCloud Director documentation.
First we create a new role for our Organization Administrators. You can create an empty role from scratch and add the privileges you need or you can copy the existing role and remove what you don't need.
The privilege that we need to remove to disable user management is the Administration Control-privilege that can be found in the General-category.
After creating the new role the Organization Administrator (our user Rob in this case) must be assigned to this role.
In the next image you can see that user Rob is logged in to vCloud Director with the new role and can not access the Administration-tab. Notice however that he can still access the link for Administer Users in the panel on the right. This is ok because that will only allow him to see the users and send notifications, you can see that in a image further down below that the feature to add local users and import them from LDAP is no longer available.
Now that we have disabled the user management for the Organization Administrator we must add groups to the organization that can be used to allow access to the cloud. In the example below we import an Active Directory group named vAppUsers that matches the name of the vApp Users role in vCloud Director. Now the Organization Administrator can manage the AD-group memberships to allow access to the vCloud-environment. I suggest to use groups in Active Directory that match the roles you will be using in vCloud Director.
As you can see in the image below an AD-user that is a member of the vApp Users-group has logged in to the vCloud environment and is automatically imported into the vCloud environment. So there is no need to manage these individual accounts from the vCloud Director management portal. The buttons to add local users and import users from LDAP are no longer available.
The organization administrator can still manage user access to vApps, for example to change the ownership for vApps for the users that are automatically imported from LDAP.