Create and manage user accounts.

Tanzu Observability by Wavefront supports:

  • User accounts, discussed here, which authenticate with a username and password.
  • Service accounts, which authenticate with a token.

You can manage authorization in your environment by:

  • Assigning and revoking roles for groups or accounts to give global permissions.
  • Granting and revoking access to individual objects (initially dashboards and alerts) for accounts and groups.

What Are User Accounts?

User accounts log in with a user name and password.

  • All authenticated users can perform certain tasks such as viewing dashboards and charts or sharing links to charts.
  • Roles determine what users can do globally. Each role has one or more permissions. For example, assume that you have created an Interns role that has the Dashboard permission. All users with the Interns role can view and manage all dashboards.
  • Access applies to individual objects. For example, some users don’t have access to a dashboard with financial data. Users who have modify access for a dashboard or alert can grant or revoke access for that object.

Add a User Account to Your Wavefront Instance

You can send invitation emails to new users. The invitation email contains an account activation link for the new user to redeem and set a password.

For Non-VMware Cloud Services Customers

If your Wavefront instance isn’t onboarded to VMware Cloud services and Single Sign-On (SSO) isn’t configured, users with the Accounts permissions can invite new users from the Tanzu Observability UI.

  1. From the gear icon on the toolbar, select Accounts.
  2. On the User Accounts tab, click Invite New Users.
  3. In the Invitees text box, enter a comma-separated list of email addresses.
  4. Specify user groups. You cannot remove users from the Everyone group.
  5. To grant permissions individually to the users, you can:
    • Assign a role to the user
    • Give the user explicit permissions
  6. Click Invite.

Each invited user receives an email with an account activation link that is valid for 24 hours. All new users can browse data and might have additional permissions.

For VMware Cloud Services Customers

If your Wavefront instance is onboarded to VMware Cloud services, organization owners can invite new users from the VMware Cloud Services Console by assigning service roles for the service instance.

The Tanzu Observability service roles in VMware Cloud services grant and revoke certain permissions in Tanzu Observability.

Tanzu Observability Service Role Granted Permissions Revoked Permissions Description
Super Admin All None
  • All permissions are granted and cannot be revoked.
  • Additional access to Super Admin tasks.
Accounts Admin Accounts None
  • Granted permission cannot be revoked.
  • All permissions are allowed.
  • Initially, combines with the permissions from the Everyone group and the default user permissions and groups from the organization settings.
User
  • Dashboard
  • Events
  • Alerts
Accounts
  • Granted permissions cannot be revoked.
  • Revoked permission cannot be granted.
  • Initially, combines with the permissions from the Everyone group and the default user permissions and groups from the organization settings.
Viewer None
  • Accounts
  • Applications
  • Alerts
  • Dashboard
  • Events
  • Metrics
  • Derived Metrics
  • Proxies
  • Chart Embedding
  • SAML Idp Admin
  • Revoked permissions cannot be granted.
  • Initially, gets the permissions from the Everyone group and the default user permissions and groups from the organization settings.
Custom None None
  • All permissions are allowed.
  • Initially, gets the permissions from the Everyone group and the default user permissions and groups from the organization settings.
  • To invite a user who doesn’t belong to your organization, you must assign an organization role, organization owner or organization member, and a Tanzu Observability service role for the service instance. See How do I add users to my organization in the VMware Cloud services documentation.
  • To invite a user who belongs to your organization, you must change the user’s service roles to add a Tanzu Observability service role for the service instance. See How do I change user roles in the VMware Cloud services documentation.
  • For more efficient roles management, you can create groups and assign service roles to groups. See How do I work with groups in the VMware Cloud services documentation.
  • To enable users to use their corporate credentials, configure enterprise federation for your corporate domain. See Setting Up Enterprise Federation with VMware Cloud Services Guide in the VMware Cloud services documentation.

Each invited user receives an email with an account activation link to sign up to the service instance.

Edit and Delete User Accounts

Users with Accounts permissions can manage accounts from the Tanzu Observability UI.

  1. From the gear icon on the toolbar, select Accounts.
  2. To change roles, permissions, or group membership:
    1. Select the check box for one or more users on the Users Accounts page.
    2. Click a button (e.g., +Role or -Permission, and so on), change the roles, permissions, or group membership.
  3. To delete a user:
    1. Select the check box for the user on the Users Accounts page.
    2. Click the trash icon and confirm when prompted.

    If you delete a user, you remove that user’s access to your environment.

For VMware Cloud Services Customers

If your Wavefront service instance is onboarded to VMware Cloud services, in addition to the regular roles and permissions in Tanzu Observability, all users also have Tanzu Observability service roles in VMware Cloud services.

An organization owner can:

  • Change the service roles for the service instance to change the user’s profile for the Wavefront instance.
  • Remove the service roles for the service instance to revoke user’s access to the Wavefront instance.

See How do I change user roles in the VMware Cloud services documentation.

Sign Out a User

As a super admin user, you can sign out other users by using the Wavefront REST API. To sign out a user while you are logged in as a Super Admin user, simply run a POST request with the logout API call. For example:

POST https://<your_instance>.wavefront.com/api/logout/{identifier}

You must specify the {identifier}, which is the email address of the user that you want to log out. If you are not logged in to your Wavefront instance, when you run the POST request, you must also provide a valid API token.

What Can a New User Do?

When you invite a new (human) user to your environment, what that new user can do depends on several factors.

  • New User Tasks: All users can perform the following tasks:
    • View the dashboards, alerts, metrics, sources, events, maintenance windows, and alert notification pages.
    • Add dashboards to the list of favorites.
    • View existing dashboards and charts.
    • Create and interact with charts – but NOT save charts.
    • Share links to dashboards and charts with other users.
    • Access the user profile from the gear icon on the toolbar.
  • New User Permissions: Users with the Accounts permission can view and modify new user default permissions. To do that, from the gear icon on the toolbar, select Organization Settings. These permissions do not apply to service accounts.
  • New User Default Groups: Users with the Accounts permission can set up default groups for new users. To do that, from the gear icon on the toolbar, select Organization Settings. All new user accounts get all permissions assigned to the default user groups. These permissions do not apply to service accounts.

Set Default Permissions for New Users

You can set default permissions for new users. By default, all new users can perform a set of new user actions discussed above. In addition, you can create a set of default permissions that are assigned to every new user added to the system later on:

  1. From the gear icon on the toolbar, select Organization Settings.
  2. On the New Accounts Defaults tab select the set of permissions you want to grant to new users.

The default permissions affect only new user accounts that you create after you made the change. They do not affect service accounts.

Set the Default User Group for New Users

Each new user is assigned to the Everyone group.

To add any new user to additional groups:

  1. From the gear icon on the toolbar, select Organization Settings.
  2. In the Default User Groups text box:
    • Start typing the name of additional groups to add groups.
    • Click the x next to a group name to remove a group. You cannot remove the Everyone group.

Going forward, new users are added to the group. They get the group’s permissions and any permissions set as New User Default Permissions.

Troubleshooting User Accounts

  • Problem: When you invite a new user, an error like the following error appears in the GUI:
    User with id <user@domain.com> is already created in our system.
    
  • Cause: This error means that the user’s email address (id) already exists on the current tenant or on another tenant on the same cluster. An email address cannot exist more than once unless multi-tenant authentication has been enabled explicitly.

  • Solution:
    1. From the gear icon on the toolbar, select Accounts.
    2. Search for the user with their email address to check if that user already exists.
    3. If the user is returned and doesn’t know their password, ask them to reset their password.

    If the user does not exist on the current tenant open a support ticket.