Manage Roles, Groups, and Permissions | Tanzu Observability Documentation

Manage global permissions with roles.

Tanzu Observability by Wavefront supports roles to fine-tune authorization in the Wavefront environment.

Users with the Accounts permission can:

Create one or more roles and assign one or more permissions to each role.
Create one or more groups and add one or more accounts to each group. Accounts can be user accounts or service accounts.
Assign one or more roles to each group. It’s also possible to assign a role to individual users.

In addition to the global roles and permissions model, Tanzu Observability also supports access control for individual objects, for example, users with the Accounts permission can limit access to a sensitive dashboard.

Note: You must have the Accounts permission to view and manage authorization in your Wavefront environment. If you don’t have the permission, the corresponding UI menu selections, buttons, and links are not visible.

Important: If your Wavefront instance is onboarded to VMware Cloud services, the organization owner assigns Tanzu Observability service roles to each user. The Tanzu Observability service roles in VMware Cloud services take precedence over the roles and permissions in Tanzu Observability, and might prevent assigning or revoking certain permissions for individual users.

Manage Roles and Permissions

The roles and permissions model allows you to make sure nobody can perform tasks without the corresponding permission – and here we list the required permissions for most tasks.

Creating roles and assigning them to groups of users is most efficient and least error prone. It’s possible to grant permissions or assign a role to an individual account – that might make sense during a POC.

Note: If your Wavefront instance is onboarded to VMware Cloud services, the Accounts Admin, User, and Viewer service roles are visible in the Tanzu Observability UI, but even if you have the Accounts permission, you cannot edit, delete, revoke, or assign these service roles. Only organization owners can manage service roles in VMware Cloud services.

Create a Role

All users with Accounts permission can create roles.

To create a role:

Log in to your Wavefront instance.
Click the gear icon on the toolbar and select Accounts.
On the Roles tab, click Create Role.
Specify a name, an optional description, and one or more permissions for that role.
(Optional) Enter groups or accounts to assign the role to. You can also add groups or accounts later.
Click Create.

Create a Group

All users with Accounts permission can create groups and add members and roles to the group. You can’t assign permissions to groups.

To create a group:

Log in to your Wavefront instance.
Click the gear icon on the toolbar and select Accounts.
On the Groups tab, click Create Group.
Specify a name and, optionally, a description.
(Optional) Add one or more accounts to the group now or later. You cannot add a group as a member.
(Optional) Add one or more roles to the group now or later.
Click Create.

Assign a Role to a Group

Users with Accounts permission can assign roles to a group when they create the group, or can add and remove roles later.

To assign a role to a group:

Log in to your Wavefront instance.
Click the gear icon on the toolbar and select Accounts.
On the Groups tab, change role assignment in one of these ways:

Select the group check box, click +Role or -Role, and select a role to change role assignment (not shown on the right).
Click the group name. In the Edit Group page, make the desired changes and click Update, as shown on the right.

Grant or Revoke Account Permissions Explicitly

The process of granting permissions is the same for users and for service accounts.

You can grant a permissions to an account when you create the account or add permissions later from the Service Accounts / Users page or from the Edit Service Account / Edit User page.

Tip: Assigning a role to a group of users is more efficient and leaves less room for error than granting or revoking account permission or assigning a role to an account.

The following example shows two ways of explicitly grant or revoke permissions for service accounts.

To grant or revoke permissions from the Service Accounts page: Select one or more service accounts. Click +Permissions or -Permissions and select the permission to add or remove.
To grant or revoke permissions from the Edit Service Account page: Click the service account name to open the Edit Service Account page. Select the permissions that you want to grant or revoke.