Tuesday, January 13, 2015

vRealize Operations 6.0 - Access Control and Dashboard Management

No doubt, vRealize Operations 6.0 is extremely powerful and provides a vast improvement over previous versions. However, it took me a while to navigate some aspects of the new merged UI, in all likelihood it is probably because of my familiarity with the vSphere and Custom UI in version 5.8. In my humble opinion, sometimes when developing a product we lose sight of the balance of usability and features. Recently, I read the book The Design of Everyday Things by Donald Norman, which I highly recommend; I think it should be standard reading for any product manager. When I use a product, I expect it to be as seamless and easy to use as an Apple iPad. Although my wife might not understand what is being presented in the product, I want it to be easy enough that she can manipulate the interface and have labels with detailed information that she can understand.

To illustrate my point, my youngest child was able to fluently use an iPad when he was 14 months old because it was designed with usability in mind, his favorite application at the time, Tom the Cat.

Now that I have digressed, I am going to explain how to setup access control for different users and manage the dashboards options to provide a custom portal for your application developers, IT operators, or business leadership. This is when vRealize Operations becomes a powerful tool, by focusing on specific criteria for your IT and business partners so they have relevant information from the data center metrics provided.

Access control specifies who (user or user group) can do what (privilege) to what (object). For instance, an individual in your network operations center (NOC) needs the capability to review the performance and capacity of your management virtual machines. Since we are going to be using my lab environment, we would create a local user account, specify the group membership, define his user role, and then select the objects he has access to in vRealize Operations.

Users and user groups can be authenticated from different sources, including vRealize Operations local users, LDAP users, and Virtual Center users. Local users will be delegated to xDB for authentication, LDAP users will be delegated to LDAP for authentication, and Virtual Center users will be delegated to Virtual Center for authentication.

The best practice for access control is to use LDAP users and groups. Keep in mind; vRealize 6.0 does not currently support SSO, that is a roadmap item.

A privilege is a specific access right to perform an action. An example of this would be the action to create a new dashboard. A role is a functional grouping of privileges; PowerUser is a role that includes all privileges except for the ones related to user management and cluster management.

Now lets get started with creating our user account with the PowerUser role and access to the Management Application Group I created in my previous post. To start with, from the vRealize Operations home page click on the Administration link and then select Access Control from the navigation panel on the left.

 To create our new user, we are going to click on the green + sign under User Accounts.

We are going to enter the user information; including the User Name, Password, First Name, Last Name, and Email Address. Additionally, there are options to disable the user account, lock the user account, and require a password change at next login. I am going to leave these unchecked for this account.

Next, we are going to assign the Groups we want the account to be a member of. I am leaving the default group of Everyone and adding Power Users.

As mentioned above, roles are functional grouping of privileges; I am going to check the PowerUser role for this specific account.

Click on the Objects tab, I am going to click on Applications in the center panel and then select the Management Application Group which includes two objects, my vRealize Operations Manager virtual machine and my VMware vCenter Server appliance.

Now when I log into vRealize Operations Manager with my jgaudreau account, I can only see the VMware vCenter Server Appliance and vRealize Operations Manager virtual machines under vSphere Hosts and Clusters.

In this next section, we are going to perform the tasks to limit the amount of dashboards visible on the vRealize Operations Manager home page for our new user.

We are going to click on the Content link on the home page.

Make sure you have selected Dashboards in the navigation panel, and then click on the gear icon and click on Share Dashboards.

If you want everyone that uses vRealize Operations Manager to see a particular dashboard, you will include it in the Everyone group. On the Share Dashboards window, select the Everyone group and remove all the dashboards except Recommendations. For our scenario, I just want to have Recommendations showing for all users. Remember, the jgaudreau account I created earlier is a member of the Everyone group and the Power Users group.

Not Grouped, shows all the available dashboards. It provides you with the column count of the dashboard, the number of widgets included in the dashboard, if the dashboard is shared, and if it is a locked dashboard. I am going to drag the vSphere VMs Memory, vSphere VMs CPU, and vSphere VMs Disk and Networking to my Power Users group.

In the diagram below, we recognize the groups are now showing under Power Users.

By default, Diagnose and Self Health are visible on the Home page.

To remove these two dashboards, we are going to click on the gear icon and then select Remove Dashboard(s) from Home. You will do this for both Diagnose and Self Health.

Now when I log on to the vRealize Operations Manager Home page with my jgaudreau account, the only dashboard that are displayed are Recommendations (Everyone), vSphere VM Memory (Power User), vSphere VMs CPU (Power User), and vSphere VMs Disk and Network (Power User).

We have created a vRealize Operations web portal for our NOC account that is limited in their ability to view only two objects and only displays four dashboards. 

Now, let's focus back to vCenter Operations Manager 5.8. With the previous version you could create custom dashboards focused on specific application groupings, but you could not limit their ability to access all the objects. This is a significant enhancement in vRealize Operations Manager 6.0 that really helps you deliver only the information required to your IT and business users.
News: Top vBlog 2016 Trending: DRS Advanced Settings