Creating and Managing Ops Manager User and Client Accounts

Page last updated:

This topic describes how to add and remove Ops Manager users. It also descibes how you can use an admin Ops Manager account to create client accounts that you can use for Ops Manager automation.

Overview

Pivotal Cloud Foundry supports multiple user accounts in Ops Manager. A User Account and Authentication (UAA) module co-located on the Ops Manager VM manages access permissions to Ops Manager.

When Ops Manager boots for the first time, you create an admin user. However, you do not create additional users through the Ops Manager web interface. If you want to create additional users who can log into Ops Manager, you must use the UAA API, either through curl or the UAA Command Line Client (UAAC).

Follow these steps to add or remove users with UAAC. If you do not already have the UAAC installed, run gem install cf-uaac on the command line.

Note: You can only manage users on the Ops Manager UAA module if you chose to use Internal Authentication instead of an external Identity Provider when configuring Ops Manager.

Add Ops Manager Users

To add Ops Manager users, do the following:

  1. Target your Ops Manager UAA:
    $ uaac target https://YOUR-OPSMANAGER-FQDN/uaa/
    Where:
    • YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Ops Manager installation.
  2. Get your token:

    $ uaac token owner get
    Client ID: opsman
    Client Secret:
    Username: OPSMANAGER-ADMIN-USERNAME
    Password: OPSMANAGER-ADMIN-PASSWORD
     
    Successfully fetched token via client credentials grant.
    Target https://YOUR-OPSMANAGER-FQDN/uaa/
    
    Where:

    • YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Ops Manager installation.
    • OPSMANAGER-ADMIN-USERNAME and OPSMANAGER-ADMIN-PASSWORD are the username and password for the Ops Manager admin user.

      Note: The Client Secret field does not require a value.

  3. Add a user.

    $ uaac user add USER-NAME -p USER-PASSWORD --emails USER-EMAIL@EXAMPLE.COM
    Where:

    • USER-NAME is the username of the user you are adding.
    • USER-PASSWORD is the password with which this user authenticates.
    • USER-EMAIL is the email address associated with this user.
  4. (Optional) Set the Role-Based Access Control (RBAC) permissions for your user. For more information, see Configuring Role-Based Access Control (RBAC) in Ops Manager.

Remove Ops Manager Users

To remove Ops Manager users, do the following:

  1. Target your Ops Manager UAA:
    $ uaac target https://YOUR-OPSMANAGER-FQDN/uaa/
  2. Get your token:

    $ uaac token owner get
    Client ID: opsman
    Client Secret:
    Username: OPSMANAGER-ADMIN-USERNAME
    Password: OPSMANAGER-ADMIN-PASSWORD
     
    Successfully fetched token via client credentials grant.
    Target https://YOUR-OPSMAN-FQDN/uaa/
    
    Where:

    • YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Ops Manager installation.
    • OPSMANAGER-ADMIN-USERNAME and OPSMANAGER-ADMIN-PASSWORD are the username and password for the Ops Manager admin user.

      Note: The Client Secret field does not require a value.

  3. Delete a user:

    $ uaac user delete USER-NAME
    Where:

    • USER-NAME is the username of the user you wish to delete.

Add Ops Manager Client Accounts

The following sections describe how to create client accounts for Ops Manager automation using an admin account.

If you want to automate aspects of Ops Manager, Pivotal recommends using a UAA client account to configure automation for Ops Manager.

A user account can configure automated components, but client accounts are not bound to authentication protocols the way imported or new user accounts can be. A user account that controls automated components can cause those components to fail if the account experiences inconsistent availability due to permission or authentication issues.

Log in to UAAC as an Admin

In order to configure a client, you must first log in to UAAC as an admin.

Use one of the following two methods to authenticate to UAAC:

Authenticate Using SAML or SSO

If you’re using SAML or SSO, authenticate to UAAC as an admin before creating a client.

To authenticate to UAAC, do the following:

  1. Target your UAA server.
    uaac target https://YOUR-OPSMANAGER-FQDN/uaa
    Where:
    • YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Ops Manager installation.
  2. Log in as an admin.
    uaac token sso get
  3. When prompted, type the Client ID and passcode. Leave the client secret blank.

    Client ID: opsman
    Client secret:
    Passcode (from http://YOUR-OPSMANAGER-FQDN/uaa/passcode): YOUR-UAA-PASSCODE

    Where:

    • YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Ops Manager installation.
    • YOUR-UAA-PASSCODE is the passcode with which you authenticate to UAA.

Authenticate Using LDAP

If you’re not using SAML or SSO, authenticate to UAAC as an admin before creating a client.

To authenticate to UAAC, do the following:

  1. Target your UAA server.
    uaac target https://YOUR-OPSMANAGER-FQDN/uaa
    Where:
    • YOUR-OPSMANAGER-FQDN is the fully qualified domain name of your Ops Manager installation.
  2. Log in as an admin.
    uaac token owner get
  3. When prompted, type the Client ID, your username, and your password. Leave the client secret blank.
    Client ID: opsman
    Client secret: 
    User name:  admin

    Password:  *****

  4. A message appears confirming that UAAC has Successfully fetched token.

Create a Client

After you authenticate to UAAC, create a client to manage automated components and tasks.

To create a client, do the following:

  1. Create a client with role-based permissions, an ID, and an authentication secret using UAAC:
    $ uaac client add CLIENT-ID --authorized_grant_types client_credentials --authorities opsman.admin --secret CLIENT-SECRET
    Where:
    • CLIENT-ID is the name of your client.
    • CLIENT-SECRET is the secret you use to authenticate to your client.

The opsman.admin authority referenced in the example above grant specific permissions to the client. You can choose which permissions you wish the client to have by assigning a different role.

For more information about Ops Manager roles and what they do, see Understanding Roles in Ops Manager.

For more information about the Ops Manager API, see Using the Ops Manaager API.