Configuring Role-Based Access Control (RBAC) in Ops Manager

Page last updated:

This topic describes how to customize role-based access control (RBAC) in Ops Manager. Use RBAC to manage which operators in your organization can make deployment changes, view credentials, and manage user roles in Ops Manager.

For information about configuring Ops Manager to use internal authentication or SAML authentication, refer to the Ops Manager configuration topic for your IaaS:

Understand Roles in Ops Manager

You can assign the following roles to determine which operators in your organization make deployment changes, view credentials, and manage user roles in Ops Manager:

Ops Manager roles diagram

Ops Manager administrators can use the roles defined in the diagram above to meet the security needs of their organization. The roles provide a range of privileges that are appropriate for different types of users. For example, assign either Restricted Control or Restricted View to an operator to prevent access to all Ops Manager credentials.

See the following table for more information about each role:

Ops Manager Role Role Definition UAA Scope
Ops Manager Administrator Administrators can make configuration changes in Ops Manager, view credentials in the Credentials tab and Ops Manager API endpoints, change the authentication method, and assign roles to other operators. opsman.admin
Full Control Operators can make configuration changes in Ops Manager, click Apply Changes, and view credentials in the Credentials tab and Ops Manager API endpoints. opsman.full_control
Restricted Control Operators can make configuration changes in Ops Manager and click Apply Changes. They cannot view credentials in the Credentials tab or Ops Manager API endpoints. opsman.restricted_control
Full View Operators can view Ops Manager configuration settings and view credentials in the Credentials tab and Ops Manager API endpoints. They cannot make configuration changes in Ops Manager. opsman.full_view
Restricted View Operators can view Ops Manager configuration settings. They cannot make configuration changes or view credentials in the Credentials tab or Ops Manager API endpoints. opsman.restricted_view

When you install a new Ops Manager instance, all existing users have the Ops Manager Administrator role by default.

To assign one of the above roles to an operator, follow the procedure for granting access using either internal authentication or SAML authentication.

Enable RBAC in Ops Manager

When you install a new instance of Ops Manager, RBAC is enabled by default.

If you upgrade from an older Ops Manager instance, you must enable RBAC and assign roles to users before they can access Ops Manager. If you do not assign any roles to a user, they cannot log in to Ops Manager.

WARNING: Do not assign roles before you enable RBAC.

Enable RBAC with Internal Authentication

If you are upgrading from an older version of Ops Manager and use internal authentication, perform the following steps to enable RBAC:

  1. Log in to Ops Manager and click the Ops Manager tile.

  2. In the Settings tab, click Advanced.

  3. Click Enable RBAC. When the confirmation dialog box appears, click Confirm and Logout.

    Note: Enabling RBAC is permanent. You cannot undo this action. When you upgrade Ops Manager, your RBAC settings remain configured.

Enable RBAC with SAML Authentication

If you are upgrading from an older version of Ops Manager and use SAML authentication, perform the steps in this section to enable RBAC. To enable RBAC in Ops Manager when using SAML authentication, you must configure groups in SAML for admins and non-admins and then map the admin group to Ops Manager.

Step 1: Configure SAML Groups

Perform the following steps to gather information from your SAML dashboard:

  1. Log in to your SAML provider dashboard.
  2. Create or identify the name of the SAML group that contains Ops Manager admin users.
  3. Identify the groups attribute tag you configured for your SAML server.

Step 2: Enable RBAC in Ops Manager

Perform the following steps to configure Ops Manager to recognize your SAML admin user group:

Note: When RBAC is enabled, only users with the Ops Manager Administrator role can edit SAML configuration.

  1. Log in to Ops Manager.
  2. In the Settings tab, click RBAC Configuration.
  3. Enter the name of the SAML group that contains Ops Manager admin users in the SAML Admin Group field.
  4. Enter the groups attribute tag for your SAML server in the Groups Attribute field.
  5. In the Settings tab, click Advanced.
  6. Click Enable RBAC. When the confirmation dialog box appears, click Confirm and Logout.

    Note: Enabling RBAC is permanent. You cannot undo this action. When you upgrade Ops Manager, your RBAC settings remain configured.

Manage RBAC Roles in Ops Manager

You can assign the roles defined in Understanding Roles in Ops Manager to determine which operators in your organization make deployment changes, view credentials, and manage user roles in Ops Manager.

Manage Roles with Internal Authentication

If you configured Ops Manager to use internal authentication, perform the steps in this section to configure roles using the UAA Command Line Interface (UAAC).

  1. Target your UAA server and log in as an admin:

    uaac target https://YOUR-OPSMAN-DOMAIN/uaa
    uaac token owner get
    

  2. When prompted, enter the following credentials. Enter opsman for Client ID and leave Client secret blank, then enter your username and password:

    Client ID: opsman
    Client secret:
    User name: USERNAME
    Password: YOUR-PASSWORD

  3. (Optional) If you are installing a new Ops Manager instance, create users by following the procedure in the Creating and Managing Users with the UAA CLI (UAAC) topic.

  4. Assign one of the following roles to a user, replacing USERNAME with their username.

    • Ops Manager Administrator:
      uaac member add opsman.admin USERNAME
    • Full Control:
      uaac member add opsman.full_control USERNAME
    • Restricted Control:
      uaac member add opsman.restricted_control USERNAME
    • Full View:
      uaac member add opsman.full_view USERNAME
    • Restricted View:
      uaac member add opsman.restricted_view USERNAME

Manage Roles with SAML Authentication

If you configured Ops Manager with SAML authentication, perform the steps in this section to assign non-admin user roles using UAAC.

  1. Target your UAA server and log in as an admin:

    uaac target https://YOUR-OPSMAN-DOMAIN/uaa
    uaac token sso get
    

  2. When prompted, enter Client ID and Passcode, leaving Client secret blank:

    Client ID: opsman
    Client secret:
    Passcode (from http://YOUR-OPSMAN-DOMAIN/uaa/passcode): YOUR-UAA-PASSCODE
    

  3. Run the following command:

    uaac group map SAML-GROUP --name 'OPSMAN-SCOPE' --origin 'external-saml-provider'
    
    Replace the placeholder text as follows:

    • SAML-GROUP: Replace with name of the SAML group the user belongs to.
    • OPSMAN-SCOPE: Replace with an Ops Manager UAA scope. Refer to the table in Understand Roles in Ops Manager to determine which UAA scope to use.
  4. Add new and existing users to the appropriate SAML groups in the SAML provider dashboard. Users must log out of both Ops Manager and the SAML provider for role changes to take effect.

Create a pull request or raise an issue on the source for this page in GitHub