Creating and managing Tanzu Operations Manager user and client accounts

You can add and remove VMware Tanzu Operations Manager users, and you can use an administrator Tanzu Operations Manager account to create client accounts that you can use for Tanzu Operations Manager automation.

Tanzu Operations Manager supports multiple user accounts in Tanzu Operations Manager. A User Account and Authentication (UAA) module co-located on the Tanzu Operations Manager VM manages access permissions to Tanzu Operations Manager.

When Tanzu Operations Manager boots for the first time, you create an admin user. However, you do not create additional users through the Tanzu Operations Manager web interface. If you want to create additional users who can log into Tanzu Operations Manager, you must use the UAA API, either through curl or the UAA Command Line Client (UAAC).

Users created this way do not persist if UAA authentication settings change.

In addition to creating user accounts, you can also create client accounts, which connect automation tools and scripts to Tanzu Operations Manager. VMware recommends using clients to handle automated tasks.

Client accounts are not bound to the same authentication protocols as user accounts. A user account that controls automated components can cause those components to fail if the account experiences inconsistent availability due to permission or authentication issues.

You create client accounts after you deploy Tanzu Operations Manager, or during configuration for an initial deployment. For more information about adding clients during initial configuration or after deployment, see Add Pre-Created Client.

Add Tanzu Operations Manager users

This section describes how to add users with UAAC. If you do not already have the UAAC installed, run gem install cf-uaac on the command line.

You can manage users on the Tanzu Operations Manager UAA module only if you choose to use Internal Authentication instead of an external Identity Provider when configuring Tanzu Operations Manager.

To add Tanzu Operations Manager users:

Target your Tanzu Operations Manager UAA:
```
uaac target https://YOUR-OPSMANAGER-FQDN/uaa/
```
Where YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Tanzu Operations Manager installation.
Get your token:
```
uaac token owner get
Client ID: opsman
Client Secret:
Username: OPSMANAGER-ADMIN-USERNAME
Password: OPSMANAGER-ADMIN-PASSWORD
Successfully fetched token via client credentials grant.
Target https://YOUR-OPSMANAGER-FQDN/uaa/
```
Where:
- YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Tanzu Operations Manager installation.
- OPSMANAGER-ADMIN-USERNAME and OPSMANAGER-ADMIN-PASSWORD are the user name and password for the Tanzu Operations Manager admin user.
The Client Secret field does not require a value.
Add a user.
```
uaac user add USER-NAME -p USER-PASSWORD --emails [email protected]
```
Where:
- USER-NAME is the user name of the user you are adding.
- USER-PASSWORD is the password with which this user authenticates.
- USER-EMAIL is the email address associated with this user.
(Optional) Set the Role-Based Access Control (RBAC) permissions for your user. For more information, see Configuring Role-Based Access Control (RBAC) in Tanzu Operations Manager.

Remove Tanzu Operations Manager users

This section describes how to remove users with UAAC. If you do not already have the UAAC installed, run gem install cf-uaac on the command line.

To remove Tanzu Operations Manager users:

Target your Tanzu Operations Manager UAA:

uaac target https://YOUR-OPSMANAGER-FQDN/uaa/

Get your token:
```
uaac token owner get
Client ID: opsman
Client Secret:
Username: OPSMANAGER-ADMIN-USERNAME
Password: OPSMANAGER-ADMIN-PASSWORD
&nbsp;
Successfully fetched token via client credentials grant.
Target https://YOUR-OPSMAN-FQDN/uaa/
```
Where:
- YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Tanzu Operations Manager installation.
- OPSMANAGER-ADMIN-USERNAME and OPSMANAGER-ADMIN-PASSWORD are the user name and password for the Tanzu Operations Manager admin user.
The Client Secret field does not require a value.
Delete a user:
```
uaac user delete USER-NAME
```
Where USER-NAME is the user name of the user you wish to delete.

Add Tanzu Operations Manager client accounts

The following sections describe how to create client accounts for Tanzu Operations Manager automation using an admin account.

Log in to UAAC as an admin

To configure a client, you must first log in to UAAC as an admin.

Use one of the following two methods to authenticate to UAAC:

Authenticate Using SAML or SSO
Authenticate Using LDAP

Authenticate using SAML or SSO

If you’re using SAML or SSO, authenticate to UAAC as an admin before creating a client.

To authenticate to UAAC:

Target your UAA server.
```
uaac target https://YOUR-OPSMANAGER-FQDN/uaa
```
Where YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Tanzu Operations Manager installation.
Log in as an admin.
```
uaac token sso get
```
When prompted, type the Client ID and passcode. Leave the client secret blank.
```
Client ID: opsman
Client secret:
Passcode (from http://YOUR-OPSMANAGER-FQDN/uaa/passcode): YOUR-UAA-PASSCODE
```
Where:
- YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Tanzu Operations Manager installation.
- YOUR-UAA-PASSCODE is the passcode with which you authenticate to UAA.

Authenticate using LDAP

If you’re using LDAP, authenticate to UAAC as an admin before creating a client.

To authenticate to UAAC:

Target your UAA server.
```
uaac target https://YOUR-OPSMANAGER-FQDN/uaa
```
Where YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Tanzu Operations Manager installation.
Log in as an admin.
```
uaac token owner get
```
When prompted, type the Client ID, your user name, and your password. Leave the client secret blank.
```
Client ID: opsman
Client secret:
User name:  admin
Password:  *****
```
A message appears confirming that UAAC has “Successfully fetched token.”

Create a client

After you authenticate to UAAC, create a client to manage automated components and tasks.

To create a client:

Create a client with role-based permissions, an ID, and an authentication secret using UAAC:
```
uaac client add CLIENT-ID --authorized_grant_types client_credentials --authorities opsman.admin --secret CLIENT-SECRET
```
Where:
- CLIENT-ID is the name of your client.
- CLIENT-SECRET is the secret you use to authenticate to your client.

The opsman.admin authority referenced in the previous example grants specific permissions to the client. You can choose which permissions you want the client to have by assigning a different role.

For more information about Tanzu Operations Manager roles and what they do, see Understanding Roles in Tanzu Operations Manager.

Add pre-created client

You can add a pre-created client to Tanzu Operations Manager using the Tanzu Operations Manager API in either of the following ways:

Add a Pre-Created Client Before Initial Deployment
Add or Modify a Pre-Created Client for an Existing Deployment

Add a pre-created client before initial deployment

This section describes how to add a pre-created client before you deploy Tanzu Operations Manager for the first time.

If you do not already have the UAAC installed, run gem install cf-uaac on the command line.

To add a pre-created client before you deploy Tanzu Operations Manager:

Authenticate to and access the Tanzu Operations Manager API by following the steps in Using the Tanzu Operations Manager API.
Pass the following command:
```
POST /api/v0/setup
```
Include any configuration details your deployment requires. For more information about configuring Tanzu Operations Manager with the API, see Setting up with SAML in the Tanzu Operations Manager API documentation.
In the configuration details, specify this parameter:
```
"precreated_client_secret": "YOUR-SECRET"
```
Where YOUR-SECRET is the authentication secret you use to access the pre-created client.

The authentication secret for the pre-created client must be between 1 and 255 ASCII characters.

When precreated_client_secret is passed, a UAA client called precreated-client is created. To use this client, see Authenticate as the Pre-Created Client.

Add or modify a pre-created client for an existing deployment

This section describes how to add a pre-created client after you have already deployed Tanzu Operations Manager. You can have only one pre-created client at a time. If you have an existing pre-created client, you might also use this procedure to change its authentication secret.

To add a pre-created client to a Tanzu Operations Manager that has already been deployed, or change the secret of an existing pre-created client:

Authenticate to and access the Tanzu Operations Manager API by following the steps in Using the Tanzu Operations Manager API.
Pass the following command:
```
PUT /api/v0/uaa/precreated_client

"precreated_client_secret": "NEW-SECRET"
```
Where NEW-SECRET is the authentication secret you use to access the pre-created client. This secret must be different from the previous secret you used. The secret cannot be blank.

The authentication secret for the pre-created client must be between 1 and 255 ASCII characters.

To use this client, see Authenticate as the pre-created client.

Authenticate as the pre-created client

To authenticate to UAAC as the pre-created client:

Target your UAA server.
```
uaac target https://YOUR-OPSMANAGER-FQDN/uaa
```
Where YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Tanzu Operations Manager installation.

uaac token client get precreated-client -s "PRECREATED-CLIENT-SECRET"

A message appears confirming that UAAC has “Successfully fetched token.”

You have authenticated to UAAC as the pre-created client. Use this client to perform any automation tasks.

For more information about the Tanzu Operations Manager API, see Using the Tanzu Operations Manaager API.