You can use Active Directory groups with VMware Aria Operations for Logs through VMware Workspace ONE Access single sign-on authentication. Your site must be configured for VMware Workspace ONE Access authentication that is enabled for Active Directory support, and server synchronization must be in place.

You must also import group information to VMware Aria Operations for Logs.

A VMware Workspace ONE Access user inherits roles that are assigned to any group the user belongs to in addition to the roles that are assigned to the individual user. For example, you can assign Group A to the role of View Only Admin and assign a user to the role of User. The same user can also be assigned to Group A. When the user logs in, they inherit the group role with privileges for both the View Only Admin and User roles.

The group is not a VMware Workspace ONE Access local group, but an Active Directory group that is synchronized with VMware Workspace ONE Access.

Prerequisites

  • Verify that you have configured the UPN attribute (userPrincipalName) attribute. It can be configured through the VMware Workspace ONE Access administrator interface at Identity & Access Management > User Attributes.
  • Verify that you are logged in to the VMware Aria Operations for Logs web user interface as a Super Admin user, or a user associated with a role that has the Access control permission with Edit access level. The URL format of the web user interface is https://operations-for-logs-host, where operations-for-logs-host is the IP address or host name of the VMware Aria Operations for Logs virtual appliance.

  • Verify that you configured VMware Workspace ONE Access support in VMware Aria Operations for Logs. See Activate User Authentication Through VMware Workspace ONE Access

Procedure

  1. Expand the main menu and navigate to Management > Access Control.
  2. Click Users.
  3. Scroll to the Directory Groups table and click New Group.
  4. Select VMware Identity Manager from the Type drop-down menu.
    The default domain name that you specified when you configured VMware Workspace ONE Access support appears in the Domain text box.
  5. Change the domain name to the Active Directory name for the group.
  6. Enter the name of the group that you want to add.
  7. From the Roles list on the right, select one or more predefined or custom user roles.
    Option Description
    Dashboard User Dashboard users can only use the Dashboards page of VMware Aria Operations for Logs.
    Super Admin Super Admin users can access all the functionalities of VMware Aria Operations for Logs, can administer VMware Aria Operations for Logs, and can manage the accounts of all other users.
    User Users can access all the functionalities of VMware Aria Operations for Logs. Users can view log events, run queries to search and filter logs, import content packs into their own user space, view alerts, and manage their own user accounts to change a password or email address. Users do not have access to the administration options and cannot share content with other users, create or modify alerts, modify the accounts of other users, and or install a content pack from the Marketplace. However, they can import a content pack into their own user space which is visible only to them.
    View Only Admin View Only Admin users can view Admin information, have full user access, and can edit shared content.
    Custom Role A user with a custom role can view or modify information based on the permissions associated with the role.
    To view the permissions associated with a predefined or custom role, in the Access Control page, click the Roles tab and then click Show Permissions against the role.
  8. Click Save.
    For authentication, VMware Aria Operations for Logs verifies whether the user's domain is linked to a group. If the domain does not belong to a group, VMware Aria Operations for Logs verifies whether the domain has established trust with a domain associated with a group. If cross-domain trust has been established, the user can log in to VMware Aria Operations for Logs, and the corresponding user account is added to the user table in Access Control > Users.

Results

Users that belong to the group that you added can use their VMware Workspace ONE Access account to log in to VMware Aria Operations for Logs and have the same level of permissions as the group to which they belong.