Identity Management Design for VMware Aria Operations for Intelligent Operations Management for VMware Cloud Foundation

You manage access to VMware Aria Operations by assigning users and groups, synchronized to Workspace ONE Access, to VMware Aria Operations roles.

Users can authenticate to VMware Aria Operations by using the following account types:

Table 1. VMware Aria Operations Account Types
Account Type	Description
Imported from an LDAP database	Users can use their LDAP credentials to log in to VMware Aria Operations.
Integrated with Workspace ONE Access	Users and groups from an identity source are synchronized to VMware Aria Operations through the global Workspace ONE Access.
vCenter Server user accounts	After a vCenter Server instance is registered with VMware Aria Operations, the following users can log in to VMware Aria Operations: Users that have administration access in vCenter Server. Users that have one of the VMware Aria Operations privileges, such as PowerUser, assigned to the account which appears at the root level in vCenter Server.
Local user accounts in VMware Aria Operations	VMware Aria Operations performs local authentication using the account information stored in its internal database.

Table 2. Design Decision on Identity Management for VMware Aria Operations
Design Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-SEC-001	Activate VMware Aria Operations integration with your corporate identity source by using the clustered Workspace ONE Access deployment.	Allows authentication, including multi-factor, to VMware Aria Operations by using your corporate identity source. Allows authorization through the assignment of organization and cloud services roles to enterprise users and groups defined in your corporate identity source.	You must deploy and configure a Workspace ONE Access cluster to establish the integration between VMware Aria Operations and your corporate identity sources.
IOM-VAOPS-SEC-002	Assign the default Administrator role in VMware Aria Operations to an Active Directory security group.	Provides the following access control features: Access to VMware Aria Operations administration is granted to a managed set of individuals that are members of the security group. You can introduce improved accountability and tracking organization owner access to VMware Aria Operations .	You must maintain the life cycle and availability of the security group outside of the SDDC stack.
IOM-VAOPS-SEC-003	Assign the default ContentAdmin role in VMware Aria Operations to an Active Directory security group.	Provides the following access control features: Access to the VMware Aria Operations user interface is granted to a managed set of individuals that are members of the security group. You can introduce improved accountability and tracking organization owner access to VMware Aria Operations .	You must maintain the life cycle and availability of the security group outside of the SDDC stack.
IOM-VAOPS-SEC-004	Assign the default ReadOnly role in VMware Aria Operations to an Active Directory security group.	Provides the following access control features: Access to the VMware Aria Operations user interface is granted to a managed set of individuals that are members of the security group. You can introduce improved accountability and tracking organization owner access to VMware Aria Operations .	You must maintain the life cycle and availability of the security group outside of the SDDC stack.