vROps “Object Oriented” Permissions – Part 2

hapy-ballsIn the previous post for this series, we’ve started with the basics by creating two custom groups and connect our vROps instance to the domain. I this part we will work some “object oriented” permissions magic.

 

There are few more configurations needed in order to use “object oriented” permissions, which I will cover in this post:

  • Create vROps Access Control Group
  • Share a Custom Dashboard
  • Assign Object Permissions
  • Test & Validate

A bit of a background…

In my lab I have two fictional users named Johnnie Walker which is the vSphere admin and responsible for the vCenter servers VMs and Jack Daniel which is the Cloud Platform admin and responsible for the vRA servers VMs.

Those two users are members of the same AD security Group called “VI Cloud Admins”.

I have also pre-configured the custom dashboard from the previous post diagram which is called “Root Cause Analysis”. Later in this post we will go over the relevant configurations for this dashboard.00

vROps Access Control Group

The first step is to import the “VI Cloud Admin” as a new vROps Access Control Group.

Under the Administration tab, hit the “Access Control” and go to the “User Groups” tab and click the “Import Group” button.

Search for the AD group you wish to add, select to import it and click “Next”. To keep things simple, I’ve selected the pre-defined “Read Only” role.

Because we are not assigning object permissions on a group level no need to go to the “Objects” section – this is exactly what vROps is warning us about.01

0203

After the group has been created you will see it under the “User Groups” tab with its members (those will be added automatically).04

Share a Custom Dashboard

In order for Johnnie and Jack to be able to use the “Root Cause Analysis” dashboard, it must be shared.

Note: If you are using Google Chrome as your browser with the use of the “AdBlock” plugin, I suggest you turn it off before moving forward with the configurations.05

Go to the “Content” tab and hit the “Share Dashboards” configuration.06

Drag the dashboard you want to share towards the Access Control group you would like to share the dashboard with.07

08Notice how the dashboard is now marked as “Shared” and click the “Save” button to continue.

At this point, both Johnnie and Jack will be able to log in and see the dashboard but will not see any data presented to them, the next part will explain why…

Assign Object Permissions

Before jumping to the last part, let’s review the filtering configurations for both the “Object List” and the “Heatmap” widgets in my “Root Cause Analysis” dashboard.

As you can see, the two widgets are configured to filter and present only data coming from the Custom Groups we’ve created in the previous post – “xLab vCenter Servers” & “xLab vRA Servers”.

The numbers next to the group name represent the amount of objects it contains.09

Don’t mind the CPU Demand values configured in my “Heatmap” widget. I wanted to show some color differences and for that I had to put low values since currently I don’t have much going on in my lab  🙂10

Now that we know how the widgets “under the hood” looks like, go back to the “Access Control” section under vROps “Administration” tab.

Under the “User Accounts” tab, select the user you would like to associate objects to. As I mentioned, in my case Johnnie Walker is the vSphere admin and responsible for the vCenter servers VMs and Jack Daniel is the Cloud Platform admin and responsible for the vRA servers VMs.

On the bottom right corner, hit the “Edit” button under the “Associated Objects” section.11

Expend the Custom Groups section and mark the relevant custom group (mark the “Propagation” box as well).

  • Johnnie Walker gets permissions to “xLab vCenter Servers” Custom Group
  • Jack Daniel gets permissions to “xLab vRA Servers” Custom Group12

13Test & Validate

The only thing that is left is to log in using the domain account and see if the filtering works.14

Notice how Jack can see only the vRA servers VM objects and Johnnie only the vCenter servers VM objects while looking at the same custom dashboard.15

16“Object Oriented” permissions are very powerful, covers a lot of use cases and open a world of vROps possibilities.

I hope you enjoyed this 2-part series and as always, let me know if you have any comments 🙂

2 Comments

Leave a Reply