Configuring Role-Based Access Control (RBAC) in Ops Manager

Page last updated:

This topic describes how to customize role-based access control (RBAC) in Ops Manager. Use RBAC to manage which operators in your organization can make deployment changes, view credentials, and manage user roles in Ops Manager.

For information about configuring Ops Manager to use internal authentication or SAML authentication, see the Ops Manager configuration topic for your IaaS:

Understand Roles in Ops Manager

You can assign the following roles to determine which operators in your organization make deployment changes, view credentials, and manage user roles in Ops Manager:

Ops Manager roles diagram

Ops Manager administrators can use the roles defined in the diagram above to meet the security needs of their organization. The roles provide a range of privileges that are appropriate for different types of users. For example, assign either Restricted Control or Restricted View to an operator to prevent access to all Ops Manager credentials.

See the following table for more information about each role:

Ops Manager Role Role Definition UAA Scope
Ops Manager Administrator Administrators can make configuration changes and click Review Pending Changes and Apply Changes in Ops Manager, view credentials in the Credentials tab and Ops Manager API endpoints, change the authentication method, and assign roles to other operators. opsman.admin
Full Control Operators can make configuration changes and click Review Pending Changes and Apply Changes in Ops Manager, and view credentials in the Credentials tab and Ops Manager API endpoints. opsman.full_control
Restricted Control Operators can make configuration changes and click Review Pending Changes and Apply Changes in Ops Manager. They cannot view credentials in the Credentials tab or Ops Manager API endpoints. opsman.restricted_control
Full View Operators can view Ops Manager configuration settings and view credentials in the Credentials tab and Ops Manager API endpoints. They cannot make configuration changes or click Apply Changes. opsman.full_view
Restricted View Operators can view Ops Manager configuration settings. They cannot make configuration changes or view credentials in the Credentials tab or Ops Manager API endpoints. opsman.restricted_view

When you install a new Ops Manager instance, all existing users have the Ops Manager Administrator role by default.

To assign one of the above roles to an operator, follow the procedure for granting access using either internal authentication or SAML authentication.

Note: Multiple Restricted View and Full View operators can be logged in to Ops Manager at the same time. However, other roles with write access cannot be logged in simultaneously.

Enable RBAC in Ops Manager After Upgrade

When you install a new instance of Ops Manager, RBAC is permanently enabled by default.

If your organization has operators who are devoted to managing certain services like MySQL for PCF, you can use RBAC to assign those services operators a more restricted role.

If you upgrade from an older Ops Manager instance, you must enable RBAC and assign roles to users before they can access Ops Manager. If you do not assign any roles to a user, they cannot log in to Ops Manager.

WARNING: Do not assign roles before you enable RBAC.

Enable RBAC with Internal Authentication

If you are upgrading from an older version of Ops Manager and use internal authentication, do the following to enable RBAC:

  1. Log in to the Ops Manager dashboard.

  2. Click Settings from the user account menu.

  3. Click Advanced.

  4. Click Enable RBAC. When the confirmation dialog box appears, click Confirm and Logout.

    Notes:
    • Enabling RBAC is permanent. You cannot undo this action. When you upgrade Ops Manager, your RBAC settings remain configured.
    • You will not see this dialog box if RBAC is already configured. With new instances of Ops Manager, RBAC is permanently configured by default.

Enable RBAC with SAML Authentication

If you are upgrading from an older version of Ops Manager and use SAML authentication, perform the steps in this section to enable RBAC. To enable RBAC in Ops Manager when using SAML authentication, you must configure groups in SAML for admins and non-admins and then map the admin group to Ops Manager.

Step 1: Configure SAML Groups

To gather information from your SAML dashboard, do the following:

  1. Log in to your SAML provider dashboard.

  2. Create or identify the name of the SAML group that contains Ops Manager admin users.

  3. Identify the groups attribute tag you configured for your SAML server.

Step 2: Enable RBAC in Ops Manager

Perform the steps above in Enable RBAC with Internal Authentication to configure Ops Manager to recognize your SAML admin user group.

Note: When RBAC is enabled, only users with the Ops Manager Administrator role can edit SAML configuration.

Create User Accounts in Ops Manager

To assign RBAC roles to operators, you must first create user accounts for them. For more information about creating user accounts in Ops Manager with the User Account and Authentication (UAA) module, see Creating and Managing Ops Manager User Accounts.

Manage RBAC Roles in Ops Manager

You can assign the roles defined in Understanding Roles in Ops Manager to determine which operators in your organization make deployment changes, view credentials, and manage user roles in Ops Manager.

Manage Roles with Internal Authentication

If you configured Ops Manager to use internal authentication, do the following to configure roles using the UAA Command Line Interface (UAAC):

  1. Target your UAA server and log in as an admin:

    uaac target https://YOUR-OPSMAN-DOMAIN/uaa
    uaac token owner get
    

  2. When prompted, enter the following credentials. Enter opsman for Client ID and leave Client secret blank, then enter your username and password:

    Client ID: opsman
    Client secret:
    User name: USERNAME
    Password: YOUR-PASSWORD

  3. Assign one of the following roles to a user, replacing USERNAME with their username.

    • Ops Manager Administrator:
      uaac member add opsman.admin USERNAME
    • Full Control:
      uaac member add opsman.full_control USERNAME
    • Restricted Control:
      uaac member add opsman.restricted_control USERNAME
    • Full View:
      uaac member add opsman.full_view USERNAME
    • Restricted View:
      uaac member add opsman.restricted_view USERNAME

Manage Roles with SAML Authentication

If you configured Ops Manager with SAML authentication, do the following to assign non-admin user roles using UAAC:

  1. Target your UAA server and log in as an admin:

    uaac target https://YOUR-OPSMAN-DOMAIN/uaa
    uaac token sso get
    

  2. When prompted, enter Client ID and Passcode, leaving Client secret blank:

    Client ID: opsman
    Client secret:
    Passcode (from http://YOUR-OPSMAN-DOMAIN/uaa/passcode): YOUR-UAA-PASSCODE
    

  3. Run the following command:

    uaac group map SAML-GROUP --name 'OPSMAN-SCOPE' --origin 'external-saml-provider'
    
    Replace the placeholder text as follows:

    • SAML-GROUP: Replace with name of the SAML group the user belongs to.
    • OPSMAN-SCOPE: Replace with an Ops Manager UAA scope. See the table in Understand Roles in Ops Manager to determine which UAA scope to use.
  4. Add new and existing users to the appropriate SAML groups in the SAML provider dashboard. Users must log out of both Ops Manager and the SAML provider for role changes to take effect.

Create a pull request or raise an issue on the source for this page in GitHub