Thursday, March 27, 2014

Part 9 - User Authentication in vCenter Operations Manager!

In the previous part of this series, we looked at the option of altering the data retention policies of vCenter Operations Manager. If you have been following this series, you would be knowing that we are taking a step by step approach towards deploying a robust vCOps infrastructure which can help you do Performance Management & Capacity Planning for your Virtual Infrastructure & the related components.

Once we have the vCOps deployed, it is essential that we start providing access to the target audience to use the goodness of all the derived data from vCOps Analytical Engine. In order to do so, we need to understand that how does the roles & permissions work on vCOps and what are the options available for different User Interfaces within vCOps.

Let us now see that how does vCOps authenticate users for each of its User Interface.

vSphere User-Interface

INTRODUCTION - By now you will know that vSphere UI is the default UI which is available with all the versions of vCOps, namely - Foundation, Standard, Advanced & Enterprise. In case of Foundation edition which come FREE with vSphere license you only get the option of Limited Performance Management. 

AUTHENTICATION METHOD - vSphere UI is mapped directly to the vCenter Server Permissions Structure. In other words, the rights of a user are completely replicated in the vSphere UI. If you have RBAC (Role Based Access Control) implemented in the vCenter Server, you will get the exact same rights in the vCOps vSphere UI. At this stage it is important to mention that even if you have rights on limited objects on vCenter, you will still see all the objects which vCOps is monitoring once you log into it. The rights will take effect as soon as you try to drill down on objects where you do not have any rights. In  other words you will not be allowed to drill down on objects where you do not have any rights. The default admin account has full privileges to all the resources in vCOps, hence it is recommended that we reset the default password for this account (password - admin) and keep it in a locker ;-)

Admin User-Interface

INTRODUCTION - Admin UI is another default UI which is available with all the version of vCOps. In Part 4 & Part 6 of this series I have provided step by step instructions on how to use the Custom UI.

AUTHENTICATION METHOD - The authentication on Admin UI is pretty straight forward. It accepts one and only one account, i.e. the admin account. You cannot login to this interface with any other ID. Needless to say that if you lose the password for this account, you would still have the option to login to the UI VM via root credentials and reset the admin user password as you would do in any Linus OS.

Custom User-Interface

INTRODUCTION - The Custom UI is available only with Advanced and Enterprise Edition of vCenter Operations Manager. This is where all the custom magic happens. Right from creating custom dashboards for vSphere infrastructure to things like, Super Metrics, Third Party adapter configuration (supported with enterprise only) etc. all happens in the Custom UI.

AUTHENTICATION METHOD - The authentication to this UI is a bit tricky and is not as simple as the vSphere UI. I think it was intelligent of VMware for not mapping this with a direct role based access control as Custom Information should only be shared to selective people irrespective of the rights they might have the vCenter Server. By default, only the admin account works in the Custom User Interface. In order to increase this scope, you have an option to integrate vCOps with your current active directory with LDAP integration. You can simply pull in a specific group or the entire organization into vCenter Operations Manager and give them pre-defined roles with pre-canned permissions or create a custom role with customized permissions. This makes things more flexible as this will allow you to share specific content with specific people. For e.g. If you create a Capacity Dashboard for a CxO you would want that you share the same exclusively with the CxOs in your organization and not with administrators. In such a case Custom UI LDAP integration helps as we have the option to share specific dashboards with specific users and also give them controlled rights on those dashboards.

I hope this post will help you understand the Authentication methods in a better way and plan them effectively for the users of vCenter Operations Manager in your organization. I will close this post now. In the next post, we will look at the LDAP integration of vCOps Custom User Interface along with the default roles and permissions available within vCenter Operations Manager.

Till then.. Stay tuned!!

***Share & Spread the Knowledge***

No comments:

Post a Comment