You can use Active Directory groups with vRealize Log Insight through VMware Identity Manager single sign-on authentication. Your site must be configured for VMware Identity Manager authentication that is enabled for Active Directory support, and server synchronization must be in place.

You must also import group information to vRealize Log Insight

A VMware Identity Manager user inherits roles that are assigned to any group the user belongs to in addition to the roles that are assigned to the individual user. For example, an Administrator can assign GroupA to the role of View Admin and assign the user Bob to the role of User. Bob can also be assigned to GroupA. When Bob logs in, he inherits the group role and has privileges for both the View Admin and User roles.

The group is not a VMware Identity Manager local group, but an Active Directory group that is synchronized with VMware Identity Manager.


  • Verify that you have configured the UPN attribute (userPrincipalName) attribute. It can be configured through the VMware Identity Manager administrator interface at Identity & Access Management > User Attributes.
  • Verify that you are logged in to the vRealize Log Insight web user interface as a user with the Edit Admin permission. The URL format is https://log-insight-host, where log-insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.
  • Verify that you configured VMware Identity Manager support in vRealize Log Insight. See Enable User Authentication Through VMware Identity Manager


  1. Click the configuration drop-down menu icon and select Administration.
  2. Under Management, click Access Control.
  3. Click Users and Groups.
  4. Scroll to the Directory Groups table and click New Group.
  5. Select VMware Identity Manager from the Type drop-down menu.
    The default domain name that you specified when you configured VMware Identity Manager support appears in the Domain text box.
  6. Change the domain name to the Active Directory name for the group.
  7. Enter the name of the group that you want to add.
  8. From the Roles list on the right, select one or more predefined or custom user roles.
    Option Description
    User Users can access the full functionality of vRealize Log Insight. You can view log events, run queries to search and filter logs, import content packs into their own user space, add alert queries, and manage your own user accounts to change a password or email address. Users do not have access to the administration options, cannot share content with other users, cannot modify the accounts of other users, and cannot install a content pack from the Marketplace. However, you can import a content pack into your own user space which is visible only to you.
    Dashboard User Dashboard users can only use the Dashboards page of vRealize Log Insight.
    View Only Admin View Admin users can view Admin information, have full User access, and can edit Shared content.
    Super Admin Super Admin users can access the full functionality of vRealize Log Insight, can administer vRealize Log Insight, and can manage the accounts of all other users.
  9. Click Save.
    vRealize Log Insight verifies whether VMware Identity Manager is synchronized with the specified group and its domain. If the group cannot be found, a dialog box informs you that vRealize Log Insight cannot verify that group. You can save the group without verification or cancel to correct the group name or domain.


Users that belong to the group that you added can use their VMware Identity Manager account to log in to vRealize Log Insight and have the same level of permissions as the group to which they belong.