VMware Aria Operations for Applications (formerly known as Tanzu Observability by Wavefront) supports:
- User accounts, discussed here, which authenticate with a username and password.
- Service accounts, which authenticate with a token.
You can manage authorization in your environment by:
- Assigning and revoking roles for groups or accounts to give global permissions.
- Granting and revoking access to individual objects (initially dashboards and alerts) for accounts and groups.
What Are User Accounts?
User accounts log in with a user name and password.
- All authenticated users can perform certain tasks such as viewing dashboards and charts or sharing links to charts.
- Roles determine what users can do globally. Each role has one or more permissions. For example, assume that you have created an Interns role that has the Dashboard permission. All users with the Interns role can view and manage all dashboards.
- Access applies to individual objects. For example, some users don’t have access to a dashboard with financial data. Users who have modify access for a dashboard or alert can grant or revoke access for that object.
Create, Edit, and Delete User Accounts
Users with Accounts permissions can manage accounts.
- From the gear icon on the toolbar, select Accounts.
- To add an account:
- Click Invite New Users and specify a comma-separated list of email addresses.
- Specify user groups. You cannot remove users from the Everyone group.
- To grant permissions to individual users, click Advanced. You can:
- Assign a role to the user
- Or give the user explicit permissions
Tip: We recommend managing permissions at the group level and not assigning permissions to individual users.Each invited user receives an email with an account activation link that is valid for 24 hours. All new users can browse data and might have additional permissions.
- To change roles, permissions, or group membership:
- Select the check box for one or more users on the Users Accounts page.
- Click a button (e.g., +Role or -Permission, and so on), change the roles, permissions, or group membership.
- To delete a user:
- Select the check box for the user on the Users Accounts page.
- Click the trash icon and confirm when prompted.
If you delete a user, you remove that user’s access to your environment.
Tip: As a safeguard, you cannot select multiple users and delete them. You can delete only one user at a time.
Sign Out a User
As a Super Admin user, you can sign out other users by using the REST API. To sign out a user while you enabled Super Admin mode, simply run a POST request with the logout
API call. For example:
POST https://<your_instance>.wavefront.com/api/logout/{identifier}
You must specify the {identifier}
, which is the email address of the user that you want to log out. If you are not logged in to your service instance, when you run the POST request, you must also provide a valid API token.
What Can a New User Do?
When you invite a new (human) user to your environment, what that new user can do depends on several factors.
- New User Tasks: All users can perform the following tasks:
- View the dashboards, alerts, metrics, sources, events, maintenance windows, and alert notification pages.
- Add dashboards to the list of favorites.
- View existing dashboards and charts.
- Create and interact with charts – but NOT save charts.
- Share links to dashboards and charts with other users.
- Access the user profile from the gear icon on the toolbar.
Note: It’s possible that access to dashboards and alerts is limited. - New User Permissions: Users with the Accounts permission can view and modify new user default permissions. To do that, from the gear icon on the toolbar, select Organization Settings. These permissions do not apply to service accounts.
- New User Default Groups: Users with the Accounts permission can set up default groups for new users. To do that, from the gear icon on the toolbar, select Organization Settings. All new user accounts get all permissions assigned to the default user groups. These permissions do not apply to service accounts.
Set Default Permissions for New Users
You can set default permissions for new users. By default, all new users can perform a set of new user actions discussed above. In addition, you can create a set of default permissions that are assigned to every new user added to the system later on:
- From the gear icon on the toolbar, select Organization Settings.
- On the New Accounts Defaults tab select the set of permissions you want to grant to new users.
The default permissions affect only new user accounts that you create after you made the change. They do not affect service accounts.
Set the Default User Group for New Users
Each new user is assigned to the Everyone group.
To add any new user to additional groups:
- From the gear icon on the toolbar, select Organization Settings.
- In the Default User Groups text box:
- Start typing the name of additional groups to add groups.
- Click the x next to a group name to remove a group. You cannot remove the Everyone group.
Going forward, new users are added to the group. They get the group’s permissions and any permissions set as New User Default Permissions.
Troubleshooting User Accounts
- Problem: When you invite a new user, an error like the following error appears in the GUI:
User with id <user@domain.com> is already created in our system.
-
Cause: This error means that the user’s email address (id) already exists on the current tenant or on another tenant on the same cluster. An email address cannot exist more than once unless multi-tenant authentication has been enabled explicitly.
- Solution:
- From the gear icon on the toolbar, select Accounts.
- Search for the user with their email address to check if that user already exists.
- If the user is returned and doesn’t know their password, ask them to reset their password.
If the user does not exist on the current tenant open a support ticket.