Configuring user access control

vRealize Operations offers several ways you can authenticate users:

  • Use an identity source that uses the Lightweight Directory Access Protocol (LDAP).
  • Use VMware vCenter Server® users. Users must already be valid users in the vCenter Server system.
  • Use local user accounts that are created by using the vRealize Operations user interface.
  • Use a single sign-on server so that users can use their single sign-on credentials to log in to vRealize Operations and vCenter Server
  • VMware Identity Manager (vIDM).

It is recommended to use an LDAP source authentication method for the following reasons:

  • If your company already uses, for example, Active Directory, then you can leverage the existing identity source
  • Active Directory can be leveraged by single sign-on
  • An LDAP user can access VMware vSphere® and other objects including third-party objects, provided the user has the appropriate privileges

Authentication is delegated to an identity source that is being used.

Except for SSO, you can configure multiple instances of an identity source, for example, multiple vCenter Server instances and multiple LDAP servers.

The identity source provides the authentication for its users. For example, vCenter Server users can use their vCenter Server credentials to log in to vRealize Operations. The vCenter Server instance authenticates the user for vRealize Operations.

If an LDAP source is used, LDAP users can use their LDAP credentials to log in to vRealize Operations. Users and user groups are imported from the LDAP database to vRealize Operations.

When you create local users, vRealize Operations stores the credentials for those accounts in its Global Postgres database and authenticates the user account locally. A single vRealize Operations instance can use multiple instances of identity sources, for example, multiple vCenter Server instances and multiple LDAP servers.

Each user must have a unique account with one or more roles assigned to enforce role-based security when they use vRealize Operations.

A role is a collection of privileges that grants a user or user group the permission to access objects. Using a privilege, a user can perform a certain function, or action, in the vRealize Operations user interface. The roles associated with a user account determine the features that the user can access and the actions that the user can perform.

A given privilege can be included in multiple roles. You do not assign privileges directly to users. Rather, you apply roles to users.

The Authentication Module and Authorization Module in vRealize Operations are illustrated in the following diagram:

For the purpose of this example, we will be configuring LDAP as identity source and configure roles for our users and user groups.

Perform the following steps to configure the LDAP as an identity source in vRealize Operations:

  1. Go to the User UI on the master replica node by navigating to the following URL: https://<FQDN or IP of the master replica Node>/ui. Navigate to the Administration section and select Access, and then Authentication Sources. Click the plus (+) button to add authentication sources:
  1. Fill in the information required to add LDAP as a source for user and group import:
    • Source Display Name: Give a name for the identity source
    • Source Type: Select type of the identity source, for this example, select LDAP
    • Integration Mode: Select either Basic or Advanced integration mode, which will allow you specify the search criteria with finer control (Base DN)
    • User Name and Password: Provide credentials to authenticate to the identity source
  1. Click Test to verify the information and test the connection, and then click OK:
  1. Click Synchronize User Groups to trigger and initial synchronization with LDAP.
  2. Navigate to Access, and then to Access Control. Go to User Groups and click Import Group to add user groups to vRealize Operations and assign roles to them.
  1. On the Import User Groups page, search for and select the group(s) you want to add and click Next.
  2. On the Roles and Objects page, select the Role and Objects you want to assign to the group, as shown in the following screenshot, and click Finish. For this example, we are assigning Allow access to all objects in the system to the Administrator role to the user group:
  1. As you can see from the following screenshot, we have added an LDAP user group called vRealize Operations Admins to vRealize Operations, and we have assigned administrator role permissions to it to access all objects:
  1. To verify successful LDAP Identity source configuration, log out of from the UI and log back in again with a user member of the LDAP user group you’ve added.
Make sure to select the correct LDAP identity source on the login UI.

If you want to go the extra mile, in addition, you can explore the options to create custom roles and set Password Policies in vRealize Operations. As these are self-explanatory, we will not be covering them in this book.

上一章目录下一章