In the previous post for this series, we’ve started with the basics by creating two custom groups and connect our vROps instance to the domain. I this part we will work some “object oriented” permissions magic.
There are few more configurations needed in order to use “object oriented” permissions, which I will cover in this post:
- Create vROps Access Control Group
- Share a Custom Dashboard
- Assign Object Permissions
- Test & Validate
A bit of a background…
In my lab I have two fictional users named Johnnie Walker which is the vSphere admin and responsible for the vCenter servers VMs and Jack Daniel which is the Cloud Platform admin and responsible for the vRA servers VMs.
Those two users are members of the same AD security Group called “VI Cloud Admins”.
I have also pre-configured the custom dashboard from the previous post diagram which is called “Root Cause Analysis”. Later in this post we will go over the relevant configurations for this dashboard.
vROps Access Control Group
The first step is to import the “VI Cloud Admin” as a new vROps Access Control Group.
Under the Administration tab, hit the “Access Control” and go to the “User Groups” tab and click the “Import Group” button.
Search for the AD group you wish to add, select to import it and click “Next”. To keep things simple, I’ve selected the pre-defined “Read Only” role.
Share a Custom Dashboard
In order for Johnnie and Jack to be able to use the “Root Cause Analysis” dashboard, it must be shared.
At this point, both Johnnie and Jack will be able to log in and see the dashboard but will not see any data presented to them, the next part will explain why…
Assign Object Permissions
Before jumping to the last part, let’s review the filtering configurations for both the “Object List” and the “Heatmap” widgets in my “Root Cause Analysis” dashboard.
As you can see, the two widgets are configured to filter and present only data coming from the Custom Groups we’ve created in the previous post – “xLab vCenter Servers” & “xLab vRA Servers”.
Now that we know how the widgets “under the hood” looks like, go back to the “Access Control” section under vROps “Administration” tab.
Under the “User Accounts” tab, select the user you would like to associate objects to. As I mentioned, in my case Johnnie Walker is the vSphere admin and responsible for the vCenter servers VMs and Jack Daniel is the Cloud Platform admin and responsible for the vRA servers VMs.
Expend the Custom Groups section and mark the relevant custom group (mark the “Propagation” box as well).
- Johnnie Walker gets permissions to “xLab vCenter Servers” Custom Group
- Jack Daniel gets permissions to “xLab vRA Servers” Custom Group
I hope you enjoyed this 2-part series and as always, let me know if you have any comments 🙂