Learn the basics and onboard Tanzu Observability to VMware Cloud services.

Starting with the 2022-xy release, Tanzu Observability by Wavefront is a service on VMware Cloud services.

If your Wavefront instance is onboarded to VMware Cloud services, VMware Cloud services provides features to your Tanzu Observability environment, such as:

  • Centralized user authentication and authorization with role-based access control.
  • SAML 2.0 SSO identity federation with your enterprise identity provider.

What Is the VMware Cloud Services Console?

The VMware Cloud Services Console lets you manage your entire VMware Cloud services portfolio across hybrid and native public clouds. Tanzu Observability by Wavefront is one of the many services that you can access, configure, and consume through this console. See Using VMware Cloud Services Console for more details.

Before you access your Tanzu Observability environment from the VMware Cloud Services Console, you must onboard one or more Tanzu Observability service instances (tenants) to VMware Cloud services.

What Is a VMware Cloud Services Organization?

VMware Cloud uses organizations to provide controlled access to one or more services. The VMware Cloud organization is a top-level construct which owns one or more cloud services (subscriptions). You can have multiple VMware Cloud organizations. Each organization can have multiple Tanzu Observability service instances (tenants). See How do I manage my Cloud Services organizations for more details.

You can create a VMware Cloud organization only when you are onboarding a new service instance, for example, when you are onboarding a Tanzu Observability service instance (tenant).

What Is a VMware Cloud Services Account?

A VMware Cloud services account is a user (human) account in VMware Cloud services with which you can access all of your service instances, including Tanzu Observability. A VMware account logs in to VMware Cloud services with an email address and password. A VMware Cloud services account can be one of the following:

  • A VMware account (VMware ID) that you create in the VMware Cloud Services Console.

    You can create a VMware account independently, while onboarding a service instance, or while signing up to a service instance with an invitation link.

  • Your corporate account if your enterprise domain is federated. You might still need to create a VMware account and link it to your corporate account if you need to access billing information in the organization.

    See What is enterprise federation and how does it work

VMware Cloud Organization Roles

Each VMware Cloud services account can belong to one or more VMware Cloud organizations. For each organization, each VMware Cloud services account has an organization role - either organization owner or organization member.

  • Organization owners have full administrative access to the organization’s resources and can assign role-based access to organization members. They can also self-assign roles to themselves.

    When you create an organization during a service onboarding process, you become its first organization owner.

  • Organization members have read-only access to the organization’s resources. Can have additional access with additional roles.

See What organization roles are available in VMware Cloud Services for details.

Tanzu Observability Service Roles

To grant a user access to a Tanzu Observability service instance (tenant), an organization owner must assign a Tanzu Observability service role to that user. Service roles grant and deny permissions in Tanzu Observability, as shown in the following table:

Tanzu Observability Service Role Description
Super Admin

Has all permissions and can perform Super Admin tasks.

Accounts Administrator

Can manage user and service accounts, groups, roles, and API tokens. All permissions are allowed and can be assigned from the Tanzu Observability UI.

User

Can manage dashboards, events, alerts, maintenance windows, and alert targets.

Cannot manage user and service accounts.

Viewer

Has read-only access and can monitor alerts, dashboards, and so on.

Cannot manage accounts and objects.

Controlled in Tanzu Observability Initially granted with read-only access. All permissions are allowed and can be assigned from the Tanzu Observability UI.

For multi-tenant access, a given user can have different Tanzu Observability service roles for the different Tanzu Observability service instances (tenants).

When the Tanzu Observability service roles are combined for the same Tanzu Observability service instance:

  • The Super Admin service role always takes precedence.
  • Denied permissions by one service role can be granted by another service role.

    For example, if a user has the Accounts Administrator and User service roles, that user gets onboarded to the Tanzu Observability service instance with permissions to manage user and service accounts as well as dashboards, events, alerts, maintenance windows, and alert targets.

  • The Controlled in Tanzu Observability service role overrides the Accounts Administrator, User, and Viewer service role.

    For example, if a user has the Accounts Administrator and Controlled in Tanzu Observability service roles, that user gets onboarded to the Tanzu Observability service instance without any permissions.

Who Are the Users with the Accounts Permission?

While VMware Cloud organization owners perform access management in VMware Cloud services, users with the Accounts permission perform access management in Tanzu Observability. These users include:

  • Users with the Super Admin service role.
  • Users with the Accounts Administrator service role.
  • Users with the Controlled in Tanzu Observability service role to whom the Accounts permission is additionally granted in Tanzu Observability.

Onboarding a Tanzu Observability Service Instance to VMware Cloud Services

After you signed up your subscription contract with VMware for accessing Tanzu Observability, you must onboard your Tanzu Observability environment to VMware Cloud services. For that purpose, your VMware contact and Tanzu Observability team will work with you and we ask you for the following information:

  • The email address of your administrative representative who will onboard your Tanzu Observability service instance and make it available on VMware Cloud services.

    If you want to onboard your Tanzu Observability service instance to an existing VMware Cloud organization, this email address must belong to a VMware Cloud service account of an organization owner for that organization.

  • Optionally, the organization ID to which you want to onboard your Tanzu Observability service instance.

    If you want to onboard your Tanzu Observability service instance to an existing VMware Cloud organization, you must provide the ID of that organization. See View the Organization ID for details.

  • The tenant name for your Tanzu Observability service instance. For a multi-tenant environment, you must provide all tenant names.

To onboard a Tanzu Observability service instance, follow these steps:

  1. Click the invitation link in your welcome email.

    You are directed to the VMware Cloud Services Console.

  2. Sign in with your VMware Cloud services account (VMware account).

    If you don’t have a VMware account, you must create one.

  3. Select the existing organization that you previously provided to the Tanzu Observability team or create a new one.

    When creating an organization, you must enter a name for the organization, the organization address, and payment details.

  4. Review the VMware Cloud Services Terms of Service, select the check box to agree, and click Continue.

    You are redirected to your Wavefront instance. Your initial Tanzu Observability service role is User but you can change it.

    • If you onboarded the service instance to an existing organization, you are logged in to your Wavefront instance with your user account.
    • If you onboarded the service instance to a newly created organization, you receive an authentication error message because the organization and the service instance are not associated yet.

  5. Invite users to your Tanzu Observability service instance.

Onboarding Your Existing Tanzu Observability Service Instance to VMware Cloud Services

Even if you subscribed to Tanzu Observability prior to the 2022-xy release, you can still onboard your existing Wavefront environment to VMware Cloud service. To initiate the process, contact the Tanzu Observability team and follow the onboarding process.

What Will Change?

  • User accounts authenticate to Tanzu Observability with VMware Cloud services accounts (VMware accounts or federated corporate accounts).
  • Multi-tenant SSO is provided out-of-the-box.
  • Centralized federation with your enterprise identity provider.
  • Nobody can invite or delete users from the Tanzu Observability UI anymore. Only VMware Cloud organization owners can add or delete users for the Tanzu Observability service instance, including Super Admin users.
  • Each user has a Tanzu Observability service role assigned by the VMware Cloud organization owner. Users with the Accounts permission can still manage user roles and permissions but they cannot override permissions that are granted and denied by service roles.