Manage Roles and Groups in VMware Cloud Services

VMware Cloud services supports roles to manage authorization in your services on the platform, including VMware Aria Operations for Applications.

From the VMware Cloud Services Console, users with the VMware Cloud Organization Owner or Organization Administrator role can:

• Create groups and add new and existing users to each group.
• Create custom roles and assign Operations for Applications permissions to each role.
• Assign one or more service roles and custom roles to each group. It’s also possible to assign roles to individual users and server to server apps.

In addition to the roles model, Operations for Applications also supports access control for individual objects, for example, users with the Super Admin service role can limit access to a sensitive dashboard.

Manage Roles

The roles model allows you to make sure nobody can perform tasks without the corresponding permission.

Assigning roles to groups of users is most efficient and least error prone. It’s possible to assign a role to an individual account – that might make sense during a POC.

VMware Cloud services includes built-in service roles for each service on the platform, including Operations for Applications service roles. Additionally, VMware Cloud services supports custom roles.

• A role can be assigned for a certain time period or without an expiration date.
• At least one Operations for Applications service role is required for a user to have access to the Operations for Applications service instance. Custom roles are optional.

• In a multi-tenant environment, a user can have different service roles for the different Operations for Applications service instances (tenants). Custom roles apply to all tenants for which the user has a service role.

  Note: When you invite new users in a multi-tenant environment, make sure that you assign them the roles they need for each Operations for Applications service instance (tenant). For information on how to do this, see Invite New Users from the VMware Cloud Services Console.

The VMware Cloud Services Console Roles page lists all service roles and custom roles in your VMware Cloud organization. To navigate to this page:

1. Log in to the VMware Cloud Services Console as an Organization Owner or Organization Administrator.
2. If necessary, switch to the target organization. See How do I access another one of my Organizations.
3. In the left navigation pane, select Identity & Access Management > Roles.

Operations for Applications Service Roles (Built-in)

The VMware Cloud Services Console Roles page includes the following built-in Operations for Applications service roles:

• A corresponding Operations for Applications service role for each Operations for Applications permission, that is, each of the following service roles has only one permission assigned:

  • Admin
  • Alerts
  • Applications
  • Batch Query Priority
  • Charts Embedding
  • Dashboards
  • Derived Metrics
  • Direct Data Ingestion
  • Events
  • External Links
  • Ingestion Policies
  • Integrations
  • Logs
  • Metrics
  • Proxies
  • Sources

• Two special Operations for Applications service roles - one that grants full administrative access to the service, and another one that grants read-only access to the service:

  Service Role	Description
  Super Admin	When users with that service role enable Super Admin mode, they: Have all Operations for Applications permissions. Have access to all dashboards and alerts. Can restore orphan dashboards and alerts. Tip: Combine the Super Admin service role with the roles that you want the user to have when Super Admin mode is disabled.
  Viewer	Users with that service role: Don't have any Operations for Applications permissions. Can perform only the default tasks. Tip: Assign the Viewer service role individually or in combination with custom roles.

Create, Edit, or Delete a Custom Role

Custom roles let you combine service permissions of your choice, for example, Operations for Applications permissions. A custom role can have permissions for one or multiple services in your organization. For example, you can have a custom role that grants administrative permissions for one service and read-only permissions for another service.

To create a custom role:

1. On the VMware Cloud Services Console Roles page, click Add Role.
2. On the Add permissions tab, in the left panel, expand VMware Aria Operations for Applications.
3. In the panel on the right, select the permissions that you want to assign to the role, and click Continue.
4. On the Role information tab, enter a meaningful role name and description, and click Continue.
5. On the Review added permission tab, verify your selections and click Save.

To edit a custom role:

1. On the VMware Cloud Services Console Roles page, click the name of the target custom role.
2. Edit the role name, description, or permissions, and click Save.

To delete a custom role:

1. On the VMware Cloud Services Console Roles page, select one or more custom roles and click Remove Roles.
2. Click Remove to confirm.

Assign Default Roles for a Federated Domain

For a federated domain, users with the Organization Owner role can configure a policy with default VMware Cloud organization and service roles for all users in the federated domain. For details, see How do I assign default roles in my Organization in the VMware Cloud services documentation.

Manage User Groups

For efficient user management, you can create groups of users and assign roles to these groups. You can add new and existing users to a group. You can assign service roles and custom roles to a group.

See How do I work with groups in the VMware Cloud services documentation.

Grant or Revoke a User’s Role Explicitly

To change the roles that are individually assigned to a user, see How do I change user roles.