You can use Active Directory groups with vRealize Log Insight through VMware Identity Manager single sign-on authentication. Your site must be configured for VMware Identity Manager authentication that is enabled for Active Directory support, and server synchronization must be in place.

You must also import group information to vRealize Log Insight.

A VMware Identity Manager user inherits roles that are assigned to any group the user belongs to in addition to the roles that are assigned to the individual user. For example, you can assign Group A to the role of View Only Admin and assign a user to the role of User. The same user can also be assigned to Group A. When the user logs in, they inherit the group role with privileges for both the View Only Admin and User roles.

The group is not a VMware Identity Manager local group, but an Active Directory group that is synchronized with VMware Identity Manager.


  • Verify that you have configured the UPN attribute (userPrincipalName) attribute. It can be configured through the VMware Identity Manager administrator interface at Identity & Access Management > User Attributes.
  • Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin user, or a user associated with a a role that has the Access control permission with Edit access level. The URL format of the web user interface is https://log-insight-host, where log-insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.

  • Verify that you configured VMware Identity Manager support in vRealize Log Insight. See Activate User Authentication Through VMware Identity Manager


  1. Expand the main menu and navigate to Management > Access Control.
  2. Click Users.
  3. Scroll to the Directory Groups table and click New Group.
  4. Select VMware Identity Manager from the Type drop-down menu.
    The default domain name that you specified when you configured VMware Identity Manager support appears in the Domain text box.
  5. Change the domain name to the Active Directory name for the group.
  6. Enter the name of the group that you want to add.
  7. From the Roles list on the right, select one or more predefined or custom user roles.
    Option Description
    Dashboard User Dashboard users can only use the Dashboards page of vRealize Log Insight.
    Super Admin Super Admin users can access all the functionalities of vRealize Log Insight, can administer vRealize Log Insight, and can manage the accounts of all other users.
    User Users can access all the functionalities of vRealize Log Insight. Users can view log events, run queries to search and filter logs, import content packs into their own user space, view alerts, and manage their own user accounts to change a password or email address. Users do not have access to the administration options and cannot share content with other users, create or modify alerts, modify the accounts of other users, and or install a content pack from the Marketplace. However, they can import a content pack into their own user space which is visible only to them.
    View Only Admin View Only Admin users can view Admin information, have full User access, and can edit shared content.
    Custom Role A user with a custom role can view or modify information based on the permissions associated with the role.
    To view the permissions associated with a predefined or custom role, in the Access Control page, click the Roles tab and then click Show Permissions against the role.
  8. Click Save.
    For authentication, vRealize Log Insight verifies whether the user's domain is linked to a group. If the domain does not belong to a group, vRealize Log Insight verifies whether the domain has established trust with a domain associated with a group. If cross-domain trust has been established, the user can log in to vRealize Log Insight, and the corresponding user account is added to the user table in Access Control > Users.


Users that belong to the group that you added can use their VMware Identity Manager account to log in to vRealize Log Insight and have the same level of permissions as the group to which they belong.