vRealize Operations supports vCenter Server users. To log in to vRealize Operations, vCenter Server users must be valid users in vCenter Server.
Roles and Associations
A vCenter Server user must have either the vCenter Server Admin role or one of the vRealize Operations privileges, such as PowerUser which assigned at the root level in vCenter Server, to log in to vRealize Operations. vRealize Operations uses only the vCenter privileges, meaning the vRealize Operations roles, at the root level, and applies them to all the objects to which the user has access. After logging in, vCenter Server users can view all the objects in vRealize Operations that they can already view in vCenter Server.
Logging in to vCenter Server Instances and Accessing Objects
vCenter Server users can access either a single vCenter Server instance or multiple vCenter Server instances, depending on the authentication source they select when they log in to vRealize Operations.
-
If users select a single vCenter Server instance as the authentication source, they have permission to access the objects in that vCenter Server instance. After the user has logged in, an account is created in vRealize Operations with the specific vCenter Server instance serving as the authentication source.
-
If users select All vCenter Servers as the authentication source, and they have identical credentials for each vCenter Server in the environment, they see all the objects in all the vCenter Server instances. Only users that have been authenticated by all the vCenter Servers in the environment can log in. After a user has logged in, an account is created in vRealize Operations with all vCenter Server instances serving as the authentication source.
vRealize Operations does not support linked vCenter Server instances. Instead, you must configure the vCenter Server adapter for each vCenter Server instance, and register each vCenter Server instance to vRealize Operations.
Only objects from a specific vCenter Server instance appear in vRealize Operations. If a vCenter Server instance has other linked vCenter Server instances, the data does not appear.
vCenter Server Roles and Privileges
You cannot view or edit vCenter Server roles or privileges in vRealize Operations. vRealize Operations sends roles as privileges to vCenter Server as part of the vCenter Server Global privilege group. A vCenter Server administrator must assign vRealize Operations roles to users in vCenter Server.
vRealize Operations privileges in vCenter Server have the role appended to the name. For example, vRealize Operations ContentAdmin Role, or vRealize Operations PowerUser Role.
Read-Only Principal
A vCenter Server user is a read-only principal in vRealize Operations, which means that you cannot change the role, group, or objects associated with the role in vRealize Operations. Instead, you must change them in the vCenter Server instance. The role applied to the root folder applies to all the objects in vCenter Server to which a user has privileges. vRealize Operations does not apply individual roles on objects. For example, if a user has the PowerUser role to access the vCenter Server root folder, but has read-only access to a virtual machine, vRealize Operations applies the PowerUser role to the user to access the virtual machine.
Refreshing Permissions
When you change permissions for a vCenter Server user in vCenter Server, the user must log out and log back in to vRealize Operations to refresh the permissions and view the updated results in vRealize Operations. Alternatively, the user can wait for vRealize Operations to refresh. The permissions refresh at fixed intervals, as defined in the $ALIVE_BASE/user/conf/auth.properties file. The default refreshing interval is half an hour. If necessary, you can change this interval for all nodes in the cluster.
Single Sign-On and vCenter Users
When vCenter Server users log into vRealize Operations by way of single sign-on, they are registered on the vRealize Operations User Accounts page. If you delete the account of a vCenter Server user that has logged into vRealize Operations by way of single sign-on, or remove the user from a single sign-on group, the user account entry still appears on the User Account page and you must delete it manually.
Generating Reports
vCenter Server users cannot create or schedule reports in vRealize Operations.