Instead of adding individual domain users, you can add domain groups to allow users to log in to VMware Aria Operations for Logs.

When you activate the AD support in VMware Aria Operations for Logs, you configure a domain name and provide a binding user that belongs to the domain. VMware Aria Operations for Logs uses the binding user to verify the connection to the AD domain, and to verify the existence of AD users and groups.

The Active Directory groups that you add to VMware Aria Operations for Logs must either belong to the domain of the binding user, or to a domain that is trusted by the domain of the binding user.

An Active Directory user inherits roles that are assigned to any group the user belongs to, in addition to the roles that are assigned to the individual user. For example, you can assign GroupA to the role of View Only Admin and assign the user Bob to the role of User. Bob can also be assigned to GroupA. When Bob logs in, he inherits the group role and has privileges for both the View Only Admin and User roles.

Prerequisites

  • Verify that you are logged in to the VMware Aria Operations for Logs web user interface as a Super Admin user, or a user associated with a role that has the Access control permission with Edit access level. The URL format of the web user interface is https://operations-for-logs-host, where operations-for-logs-host is the IP address or host name of the VMware Aria Operations for Logs virtual appliance.

  • Verify that you configured AD support. See Activate User Authentication Through Active Directory

Procedure

  1. Expand the main menu and navigate to Management > Access Control.
  2. Click Users.
  3. Under Directory Groups, click New Group.
  4. Click Active Directory in the Type drop-down menu.
    The default domain name that you specified when you configured Active Directory support appears in the Domain text box. If you are adding groups from the default domain, do not modify the domain name.
  5. (Optional) If you want to add a group from a domain that trusts the default domain, type the name of the trusting domain in the Domain text box.
  6. Enter the name of the group that you want to add.
  7. From the Roles list on the right, select one or more predefined or custom user roles.
    Option Description
    Dashboard User Dashboard users can only use the Dashboards page of VMware Aria Operations for Logs.
    Super Admin Super Admin users can access all the functionalities of VMware Aria Operations for Logs, can administer VMware Aria Operations for Logs, and can manage the accounts of all other users.
    User Users can access all the functionalities of VMware Aria Operations for Logs. Users can view log events, run queries to search and filter logs, import content packs into their own user space, view alerts, and manage their own user accounts to change a password or email address. Users do not have access to the administration options and cannot share content with other users, create or modify alerts, modify the accounts of other users, and or install a content pack from the Marketplace. However, they can import a content pack into their own user space which is visible only to them.
    View Only Admin View Only Admin users can view Admin information, have full user access, and can edit shared content.
    Custom Role A user with a custom role can view or modify information based on the permissions associated with the role.
    To view the permissions associated with a predefined or custom role, in the Access Control page, click the Roles tab and then click Show Permissions against the role.
  8. Click Save.
    VMware Aria Operations for Logs verifies whether the AD group exists in the domain that you specified or in a trusting domain. If the group cannot be found, a dialog box informs you that VMware Aria Operations for Logs cannot verify that group. You can save the group without verification or cancel to correct the group name.

Results

Users that belong to the Active Directory group that you added can use their domain account to log in to VMware Aria Operations for Logs and have the same level of permissions as the group to which they belong.