Creating and Managing Ops Manager User and Client Accounts

This topic describes how to add and remove VMware Tanzu Operations Manager (Ops Manager) users. It also describes how you can use an administrator Ops Manager account to create client accounts that you can use for Ops Manager automation.

Overview

Ops Manager supports multiple user accounts in Ops Manager. A User Account and Authentication (UAA) module co-located on the Ops Manager VM manages access permissions to Ops Manager.

When Ops Manager boots for the first time, you create an admin user. However, you do not create additional users through the Ops Manager web interface. If you want to create additional users who can log into Ops Manager, you must use the UAA API, either through curl or the UAA Command Line Client (UAAC).

Users are not the only type of account you can create for Ops Manager. You can also create client accounts, which connect automation tools and scripts to Ops Manager. VMware recommends using clients to handle automated tasks.

Note: Users that are created this way do not persist if UAA authentication settings change.

Client accounts are not bound to the same authentication protocols as user accounts. A user account that controls automated components can cause those components to fail if the account experiences inconsistent availability due to permission or authentication issues.

You can create client accounts after deploying Ops Manager, or during configuration for an initial deployment. For more information about adding clients during initial configuration or after deployment, see Add Pre-Created Client below.

Add Ops Manager Users

This section describes how to add or remove users with UAAC. If you do not already have the UAAC installed, run gem install cf-uaac on the command line.

Note: You can only manage users on the Ops Manager UAA module if you chose to use Internal Authentication instead of an external Identity Provider when configuring Ops Manager.

To add Ops Manager users:

Target your Ops Manager UAA:
```
uaac target https://YOUR-OPSMANAGER-FQDN/uaa/
```
Where YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Ops Manager installation.
Get your token:
```
uaac token owner get
Client ID: opsman
Client Secret:
Username: OPSMANAGER-ADMIN-USERNAME
Password: OPSMANAGER-ADMIN-PASSWORD
Successfully fetched token via client credentials grant.
Target https://YOUR-OPSMANAGER-FQDN/uaa/
```
Where:
- YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Ops Manager installation.
- OPSMANAGER-ADMIN-USERNAME and OPSMANAGER-ADMIN-PASSWORD are the username and password for the Ops Manager admin user.
Note: The Client Secret field does not require a value.
Add a user.
```
uaac user add USER-NAME -p USER-PASSWORD --emails USER-EMAIL@EXAMPLE.COM
```
Where:
- USER-NAME is the username of the user you are adding.
- USER-PASSWORD is the password with which this user authenticates.
- USER-EMAIL is the email address associated with this user.
(Optional) Set the Role-Based Access Control (RBAC) permissions for your user. For more information, see Configuring Role-Based Access Control (RBAC) in Ops Manager.

Remove Ops Manager Users

To remove Ops Manager users:

Target your Ops Manager UAA:

uaac target https://YOUR-OPSMANAGER-FQDN/uaa/

Get your token:
```
uaac token owner get
Client ID: opsman
Client Secret:
Username: OPSMANAGER-ADMIN-USERNAME
Password: OPSMANAGER-ADMIN-PASSWORD
&nbsp;
Successfully fetched token via client credentials grant.
Target https://YOUR-OPSMAN-FQDN/uaa/
```
Where:
- YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Ops Manager installation.
- OPSMANAGER-ADMIN-USERNAME and OPSMANAGER-ADMIN-PASSWORD are the username and password for the Ops Manager admin user.
Note: The Client Secret field does not require a value.
Delete a user:
```
uaac user delete USER-NAME
```
Where USER-NAME is the username of the user you wish to delete.

Add Ops Manager Client Accounts

The following sections describe how to create client accounts for Ops Manager automation using an admin account.

Log in to UAAC as an Admin

In order to configure a client, you must first log in to UAAC as an admin.

Use one of the following two methods to authenticate to UAAC:

Authenticate Using SAML or SSO
Authenticate Using LDAP

Authenticate Using SAML or SSO

If you’re using SAML or SSO, authenticate to UAAC as an admin before creating a client.

To authenticate to UAAC:

Target your UAA server.
```
uaac target https://YOUR-OPSMANAGER-FQDN/uaa
```
Where YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Ops Manager installation.
Log in as an admin.
```
uaac token sso get
```
When prompted, type the Client ID and passcode. Leave the client secret blank.
```
Client ID: opsman
Client secret:
Passcode (from http://YOUR-OPSMANAGER-FQDN/uaa/passcode): YOUR-UAA-PASSCODE</pre>
```
Where:
- YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Ops Manager installation.
- YOUR-UAA-PASSCODE is the passcode with which you authenticate to UAA.

Authenticate Using LDAP

If you’re not using SAML or SSO, authenticate to UAAC as an admin before creating a client.

To authenticate to UAAC:

Target your UAA server.
```
uaac target https://YOUR-OPSMANAGER-FQDN/uaa
```
Where YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Ops Manager installation.
Log in as an admin.
```
uaac token owner get
```
When prompted, type the Client ID, your username, and your password. Leave the client secret blank.
```
Client ID: opsman
Client secret:
User name:  admin
Password:  *****
```
A message appears confirming that UAAC has Successfully fetched token.

Create a Client

After you authenticate to UAAC, create a client to manage automated components and tasks.

To create a client:

Create a client with role-based permissions, an ID, and an authentication secret using UAAC:
```
uaac client add CLIENT-ID --authorized_grant_types client_credentials --authorities opsman.admin --secret CLIENT-SECRET
```
Where:
- CLIENT-ID is the name of your client.
- CLIENT-SECRET is the secret you use to authenticate to your client.

The opsman.admin authority referenced in the example above grant specific permissions to the client. You can choose which permissions you wish the client to have by assigning a different role.

For more information about Ops Manager roles and what they do, see Understanding Roles in Ops Manager.

Add Pre-Created Client

You can add a pre-created client to Ops Manager using the Ops Manager API in either of the following ways:

Add a Pre-Created Client Before Initial Deployment, or
Add or Modify a Pre-Created Client for an Existing Deployment

Add a Pre-Created Client Before Initial Deployment

This section describes how to add a pre-created client before you deploy Ops Manager for the first time.

If you do not already have the UAAC installed, run gem install cf-uaac on the command line.

To add a pre-created client before you deploy Ops Manager:

Authenticate to and access the Ops Manager API by following the steps in Using the Ops Manager API.
Pass the following command:
```
POST /api/v0/setup
```
Include any configuration details your deployment requires. For more information about configuring Ops Manager with the API, see the Setting Up with SAML in the Ops Manager API documentation.
In the configuration details, specify this parameter:
```
"precreated_client_secret": "YOUR-SECRET"
```
Where YOUR-SECRET is the authentication secret you use to access the pre-created client.

Note: The authentication secret for the pre-created client must be between 1 and 255 ASCII characters.

When precreated_client_secret is passed, a UAA client is created called precreated-client. To use this client, see Authenticate as the Pre-Created Client.

Add or Modify a Pre-Created Client for an Existing Deployment

This section describes how to add a pre-created client after you have already deployed Ops Manager. You may only have one pre-created client at a time. If you have an existing pre-created client, you may also use this procedure to change its authentication secret.

To add a pre-created client to an Ops Manager that has already been deployed, or change the secret of an existing pre-created client:

Authenticate to and access the Ops Manager API by following the steps in Using the Ops Manager API.
Pass the following command:
```
PUT /api/v0/uaa/precreated_client

"precreated_client_secret": "NEW-SECRET"
```
Where NEW-SECRET is the authentication secret you use to access the pre-created client. This secret must differ from the previous secret you used. The secret cannot be blank.

Note: The authentication secret for the pre-created client must be between one and 255 ASCII characters.

To use this client, see Authenticate as the Pre-Created Client.

Authenticate as the Pre-Created Client

To authenticate to UAAC as the pre-created client:

Target your UAA server.
```
uaac target https://YOUR-OPSMANAGER-FQDN/uaa
```
Where YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Ops Manager installation.

uaac token client get precreated-client -s "PRECREATED-CLIENT-SECRET"

A message appears confirming that UAAC has Successfully fetched token.

You have authenticated to UAAC as the pre-created client. Use this client to perform any automation tasks you wish.

For more information about the Ops Manager API, see Using the Ops Manaager API.