IBM Cloud Docs
Operational tooling identity and access management

Operational tooling identity and access management

Overview

The operational tooling consists of the following components:

  • VMware Aria® Operations™ (formerly known as VMware vRealize® Operations Manager™) - Using data collected from objects in the VMware® platform, VMware Aria Operations uses detailed dashboards to show system health, capacity, and performance.
  • VMware Aria Operations™ for Logs (formerly known as VMware vRealize® Log Insight™) - Objects in the VMware platform have been configured to send their logging events to VMware Aria Operations for Logs to enable a centralized log management function.

The following main principles or requirements for identity and access management to the operational tooling apply:

  • The principle of least privilege to be used so that a user account is assigned only the privileges that are essential to perform the intended function.
  • SaaS provider operations have full access to the operational tooling.
  • Auditor has read-only access to the operational tooling.
  • IC4V Active Directory (AD) is used to host accounts and define roles.

Accounts

The following terminology is used to define the account types:

  • User IDs - These IDs are assigned to people who require access to the system.
  • Service IDs - These IDs are used by the IC4V automation or used by software components.
  • Local IDs - These IDs are local to the application.
  • SSH IDs - These IDs are used to access the Linux® VMs that host the applications.

VMware Solutions infrastructure AD domain

The VMware Solutions infrastructure AD domain holds the resource objects and user accounts for the administration of the VMware platform only.

VMware Aria Operations

By default, the following local users are configured during service instantiation:

VMware Aria Operations user IDs
ID Type
automationAdmin LocalID
cloudadmin LocalID
admin LocalID
maintenanceAdmin LocalID
migrationAdmin LocalID

The following groups are configured during service instantiation:

  • Cloud Admin - The cloudadmin user ID is a member of this group.
  • Everyone - All users are a member of this group.

VMware Aria Operations logical
VMware Aria Operations logical

Roles

The following roles are defined in VMware Aria Operations:

  • Administrator - System administrator
  • AgentManager - Deploy and configure EP Ops management agents
  • ContentAdmin - Manage all the contents in the product
  • GeneralUser-1 - Configurable out of the box role
  • GeneralUser-2 - Configurable out of the box role
  • GeneralUser-3 - Configurable out of the box role
  • GeneralUser-4 - Configurable out of the box role
  • PowerUser - All the privileges except the ones that are related to user management and cluster management. Typically, vCenter administrators map to it.
  • PowerUserMinusRemediation - All the Privileges except the ones that are related to User Management. Cluster Management and Remediation Actions.
  • Readonly - Read-only access for the product.

VMware Aria Operations authentication sources are configured to use active directory to connect to the infrastructure AD. Within the infrastructure AD, the following groups are assigned roles:

VMware Aria Operations groups
Group Role
icv4-vCenter Administrator
ic4v-infra To be determined
ic4v-auditor Read only

VMware Aria Operations for Logs

By default, the following local users are configured during service instantiation:

VMware Aria Operations default user IDs
ID Type Role
admin Local ID Super Admin

This account is not used on a day-to-day basis or for configuration tasks.

VMware Aria Operations for Logs logical
VMware Aria Operations for Logs logical

VMware Aria Operations for Logs roles

The following roles are defined in VMware Aria Operations for Logs:

  • Super Admin - Full Admin and User capabilities, including editing shared content
  • View Only Admin - Can view Admin information and has full User access, including editing shared content
  • User - Can use interactive analytics and dashboards
  • Dashboard User - Can use only dashboards

VMware Aria Operations for Logs authentication configuration is configured to use Active Directory to connect to the infrastructure AD. Within the infrastructure AD, the following groups are assigned roles:

VMware Aria Operations for Logs user IDs
Group Role
icv4-vCenter Super admin
ic4v-infra View only admin
ic4v-auditor User