Manage global permissions with roles.

VMware Aria Operations for Applications (formerly known as Tanzu Observability by Wavefront) supports roles to fine-tune authorization in the Wavefront environment.

Users with the Accounts permission can:

  1. Create one or more roles and assign one or more permissions to each role.
  2. Create one or more groups and add one or more accounts to each group. Accounts can be user accounts or service accounts.
  3. Assign one or more roles to each group. It’s also possible to assign a role to individual users.

In addition to the global roles and permissions model, Operations for Applications also supports access control for individual objects, for example, users with the Accounts permission can limit access to a sensitive dashboard.

Manage Roles and Permissions

The roles and permissions model allows you to make sure nobody can perform tasks without the corresponding permission – and here we list the required permissions for most tasks.

Creating roles and assigning them to groups of users is most efficient and least error prone. It’s possible to grant permissions or assign a role to an individual account – that might make sense during a POC.

Create a Role

All users with Accounts permission can create roles.

To create a role:
  1. Log in to your service instance (https://<your_instance>.wavefront.com).
  2. Click the gear icon on the toolbar and select Accounts.
  3. On the Roles tab, click Create Role.
  4. Specify a name, an optional description, and one or more permissions for that role.
  5. (Optional) Enter groups or accounts to assign the role to. You can also add groups or accounts later.
  6. Click Create.
create a role

Create a Group

All users with Accounts permission can create groups and add members and roles to the group. You can’t assign permissions to groups.

To create a group:
  1. Log in to your service instance (https://<your_instance>.wavefront.com).
  2. Click the gear icon on the toolbar and select Accounts.
  3. On the Groups tab, click Create Group.
  4. Specify a name and, optionally, a description.
  5. (Optional) Add one or more accounts to the group now or later. You cannot add a group as a member.
  6. (Optional) Add one or more roles to the group now or later.
  7. Click Create.
create a group

Assign a Role to a Group

Users with Accounts permission can assign roles to a group when they create the group, or can add and remove roles later.

To assign a role to a group:
  1. Log in to your service instance (https://<your_instance>.wavefront.com).
  2. Click the gear icon on the toolbar and select Accounts.
  3. On the Groups tab, change role assignment in one of these ways:
    • Select the group check box, click +Role or -Role, and select a role to change role assignment (not shown on the right).
    • Click the group name. In the Edit Group page, make the desired changes and click Update, as shown on the right.
add a role to group

Grant or Revoke Account Permissions Explicitly

The process of granting permissions is the same for users and for service accounts.

You can grant a permissions to an account when you create the account or add permissions later from the Service Accounts / Users page or from the Edit Service Account / Edit User page.

The following example shows two ways of explicitly grant or revoke permissions for service accounts.

To grant or revoke permissions from the Service Accounts page:
  1. Select one or more service accounts.
  2. Click +Permissions or -Permissions and select the permission to add or remove.
globally add or remove service account permissions
To grant or revoke permissions from the Edit Service Account page:
  1. Click the service account name to open the Edit Service Account page.
  2. Select the permissions that you want to grant or revoke.
add or remove service account permissions