vROps Custom Groups are very powerful if you know how to use them. One of the best kept secret in vROps 6 is the ability to configure user permissions for a specific object within the system, for example, a Custom Group.
For the past few weeks now I’ve been trying to create a “Dashboard as a Service” within vRealize Automation (vRA). Although I still haven’t figured out everything, I am getting pretty close.
Currently, I am still at the point where I am working on the vROps parts. Thinking on many ways on how to approach this, I’ve decide to play around with what I like to call vROps “Object Oriented” permissions.
In vROps, an object can be a Cluster, datastore, VM, an adapter and many more. What I will be using in this post as an object is a Custom Group which contains several virtual machines.
Each VM group has a different purpose and a different admin in the business. For example, I have a vSphere Platform admin and a Cloud Platform admin.
The vSphere Platform admin is responsible for the vCenter servers VMs and the Cloud Platform admin is responsible for the vRA servers VMs.
What I was trying (and succeeded as you will see later on) to do, is to get the vCenter Platform admin to see only the vCenter servers and the vRA admin to see only the vRA servers.
Not only that, I need this to happen without creating a dedicated dashboard for each admin.
Creating Custom Groups
There are few things you need to do before you we will be able to test object oriented permissions within vROps.
As I mentioned, I will be using custom groups which contain virtual machines. In order to demonstrate the permissions part go ahead and create your custom groups first.
Now I should mention that it doesn’t really matter what method is being used to create the group as long as it contains the objects that you need.
Configure Access Control
If you are planning to give users vROps access based on Active Directory authentication which I assume you do, first you need to configure it.
Under the Administration tab, hit the “LDAP Import Source” and hit the green + sign on the top left in order to configure your LDAP source.
Nothing too fancy here, just basic straight forward Active Directory LDAP configurations.
As this becomes a long post, I will continue with the roles & permissions configurations in the next part, stay tuned…