You can assign a user account to one or more user groups, and assign roles and objects to the account to specify the actions the user can perform and upon what objects. Assign the Administrators role only to specific users who must access objects and perform actions in the entire environment.

Where You Assign Groups, Roles, and Objects to User Accounts

To assign groups, roles, and objects to a user account, click Administration, and then in the left pane click Access > Access Control.

Table 1. Access Control Add or Edit User Workspace - Assign Groups and Permissions Page

Assign Groups Roles, and Objects Options

Description

Groups

Select or deselect the groups associated with the user account. To select or deselect all accounts, click the Group Name check box. You cannot add user accounts to groups that you imported from an LDAP database.

Objects

Roles determine which actions a user can perform in the system. Select a role from the Select Role drop-down menu, and then select the Assign this role to the user checkbox. You can associate more than one role with the user account.

Select which objects the user can access when assigned this role.

  • Select Object Hierarchies: Displays groups of objects. Select an object in this list to select all the objects in the hierarchy,

  • Select Object: To select specific objects within the object hierarchy, click the down arrow to expand the list of objects. For example, expand the Adapter Instance hierarchy, and select one or more adapters.

  • Allow access to all objects in the system: Select this check box to permit the user account access to all objects in the system.

Note:

When you assign a user permission to take action on a parent object, such as an adapter, that user can perform the same action on all the parent's child objects. For example, if a user has permission to access the vRealize Operations Manager adapter, that user can access all the virtual machines associated with the adapter. This is true even if the same user holds another role that permits limited access to only one specific virtual machine.