VMware Aria Operations for Applications (formerly known as Tanzu Observability by Wavefront) supports roles to fine-tune authorization in the Wavefront environment.
Users with the Accounts permission can:
- Create one or more roles and assign one or more permissions to each role.
- Create one or more groups and add one or more accounts to each group. Accounts can be user accounts or service accounts.
- Assign one or more roles to each group. It’s also possible to assign a role to individual users.
In addition to the global roles and permissions model, Operations for Applications also supports access control for individual objects, for example, users with the Accounts permission can limit access to a sensitive dashboard.
Manage Roles and Permissions
The roles and permissions model allows you to make sure nobody can perform tasks without the corresponding permission – and here we list the required permissions for most tasks.
Creating roles and assigning them to groups of users is most efficient and least error prone. It’s possible to grant permissions or assign a role to an individual account – that might make sense during a POC.
Create a Role
All users with Accounts permission can create roles.
To create a role:
Create a Group
All users with Accounts permission can create groups and add members and roles to the group. You can’t assign permissions to groups.
To create a group:
Assign a Role to a Group
Users with Accounts permission can assign roles to a group when they create the group, or can add and remove roles later.
To assign a role to a group:
Grant or Revoke Account Permissions Explicitly
The process of granting permissions is the same for users and for service accounts.
You can grant a permissions to an account when you create the account or add permissions later from the Service Accounts / Users page or from the Edit Service Account / Edit User page.
The following example shows two ways of explicitly grant or revoke permissions for service accounts.
To grant or revoke permissions from the Service Accounts page:
To grant or revoke permissions from the Edit Service Account page: