A quick post to share a handy option which is available on vROps version 6.1 and above. We all know that their are multiple methods to authenticate a user to login in vRealize Operations Manager. I have usually seen organizations starting with their vROps journey using the vCenter Authentication option which comes out of the box with the product as soon as you integrate vROps with your vCenter server.
While this is an easy way to authenticate, it is possibly not the best option for vROps authentication due to a number of reasons. The first reason is that not all third party management packs support vCenter Authentication and hence if you login with vCenter credentials and try to view data which is being captured by a non VMware management pack then you might not be able to see it at all. This is because that management pack might not have any integration with vCenter Server.
Secondly, the number of concurrent sessions supported on vCenter server are way more than what is supported on vRealize Operations Manager. You can read the sizing guidelines here to understand the concurrent session requirements of vROps.
From above considerations, by far the best option is to have Role Based Access Control using Active Directory / LDAP integration which is fully supported on vRealize Operations Manager. Once you have the AD/LDAP integration, you will see the option of "Active Directory" as shown in the screenshot below. At this point to change the login behavior of your vROps users, you might want to get rid f the "All vCenter Servers" since users might continue to use that option since they are used to doing so.
This option can be removed from vROps version 6.1 and above by browsing to the ADMINISTRATION --- GLOBAL SETTINGS.
Here you would see an option to "Allow vCenter Users to log in to all vCenters using the vROps UI". You would need to edit the global settings by clicking on the "Pencil Shaped" edit icon to disable this option as it is enabled by default (out of the box).
Once on the Edit screen clear the checkbox and click on save.
After you logout and login again, you would see that you only have the Local and AD option now.
Hope this quick tip will help you have tighter control on how you configure role based access on vRealize Operations Manager.
Share & Spread the knowledge...