VMware Aria Operations supports vCenter Server users. To log in to VMware Aria Operations, vCenter Server users must be valid users in vCenter Server.
Roles and Associations
A vCenter Server user must have either the vCenter Server Admin role or one of the VMware Aria Operations privileges, such as PowerUser which assigned at the root level in vCenter Server, to log in to VMware Aria Operations. VMware Aria Operations uses only the vCenter privileges, meaning the VMware Aria Operations roles, at the root level, and applies them to all the objects to which the user has access. After logging in, vCenter Server users can view all the objects in VMware Aria Operations that they can already view in vCenter Server.
Logging in to vCenter Server Instances and Accessing Objects
vCenter Server users can access either a single vCenter Server instance or multiple vCenter Server instances, depending on the authentication source they select when they log in to VMware Aria Operations.
-
If users select a single vCenter Server instance as the authentication source, they have permission to access the objects in that vCenter Server instance. After the user has logged in, an account is created in VMware Aria Operations with the specific vCenter Server instance serving as the authentication source.
-
If users select All vCenter Servers as the authentication source, and they have identical credentials for each vCenter Server in the environment, they see all the objects in all the vCenter Server instances. Only users that have been authenticated by all the vCenter Servers in the environment can log in. After a user has logged in, an account is created in VMware Aria Operations with all vCenter Server instances serving as the authentication source.
VMware Aria Operations does not support linked vCenter Server instances. Instead, you must configure the vCenter Server adapter for each vCenter Server instance, and register each vCenter Server instance to VMware Aria Operations.
Only objects from a specific vCenter Server instance appear in VMware Aria Operations. If a vCenter Server instance has other linked vCenter Server instances, the data does not appear.
vCenter Server Roles and Privileges
You cannot view or edit vCenter Server roles or privileges in VMware Aria Operations. VMware Aria Operations sends roles as privileges to vCenter Server as part of the vCenter Server Global privilege group. A vCenter Server administrator must assign VMware Aria Operations roles to users in vCenter Server.
VMware Aria Operations privileges in vCenter Server have the role appended to the name. For example, VMware Aria Operations ContentAdmin Role, or VMware Aria Operations PowerUser Role.
Read-Only Principal
A vCenter Server user is a read-only principal in VMware Aria Operations, which means that you cannot change the role, group, or objects associated with the role in VMware Aria Operations. Instead, you must change them in the vCenter Server instance. The role applied to the root folder applies to all the objects in vCenter Server to which a user has privileges. VMware Aria Operations does not apply individual roles on objects. For example, if a user has the PowerUser role to access the vCenter Server root folder, but has read-only access to a virtual machine, VMware Aria Operations applies the PowerUser role to the user to access the virtual machine.
Refreshing Permissions
When you change permissions for a vCenter Server user in vCenter Server, the user must log out and log back in to VMware Aria Operations to refresh the permissions and view the updated results in VMware Aria Operations. Alternatively, the user can wait for VMware Aria Operations to refresh. The permissions refresh at fixed intervals, as defined in the $ALIVE_BASE/user/conf/auth.properties file. The default refreshing interval is half an hour. If necessary, you can change this interval for all nodes in the cluster.
Single Sign-On and vCenter Users
When vCenter Server users log into VMware Aria Operations by way of single sign-on, they are registered on the VMware Aria Operations User Accounts page. If you delete the account of a vCenter Server user that has logged into VMware Aria Operations by way of single sign-on, or remove the user from a single sign-on group, the user account entry still appears on the User Account page and you must delete it manually.
Generating Reports
vCenter Server users cannot create or schedule reports in VMware Aria Operations.