Creating and Managing Ops Manager User and Client Accounts

Page last updated:

Pivotal Cloud Foundry supports multiple user accounts in Ops Manager. A User Account and Authentication (UAA) module co-located on the Ops Manager VM manages access permissions to Ops Manager.

When Ops Manager boots for the first time, you create an admin user. However, you do not create additional users through the Ops Manager web interface. If you want to create additional users who can log into Ops Manager, you must use the UAA API, either through curl or the UAA Command Line Client (UAAC).

Note: You can only manage users on the Ops Manager UAA module if you chose to use Internal Authentication instead of an external Identity Provider when configuring Ops Manager.

Follow these steps to add or remove users via the UAAC. If you do not already have the UAAC installed, run gem install cf-uaac from a terminal window.

Adding Users to Ops Manager

  1. Target your Ops Manager UAA:
    $ uaac target https://YOUR-OPSMAN-FQDN/uaa/
  2. Get your token:
    $ uaac token owner get
    Client ID: opsman
    Client Secret: [Press Enter]
    Username: Admin
    Password: *******
     
    Successfully fetched token via client credentials grant.
    Target https://YOUR-OPSMAN-FQDN/uaa/
    
  3. Add a user:
    $ uaac user add YOUR-USER-NAME -p YOUR-USER-PASSWORD --emails YOUR-USER-EMAIL@EXAMPLE.COM
  4. (Optional) Set your user’s Role-Based Access Control (RBAC) permissions. For more information, see Configuring Role-Based Access Control (RBAC) in Ops Manager.

Removing Users from Ops Manager

  1. Target your Ops Manager UAA:
    $ uaac target https://YOUR-OPSMAN-FQDN/uaa/
  2. Get your token:

    $ uaac token owner get
    Client ID: opsman
    Client Secret: [Press Enter]
    Username: Admin
    Password: *******
     
    Successfully fetched token via client credentials grant.
    Target https://YOUR-OPSMAN-FQDN/uaa/
    

  3. Delete a user:

    $ uaac user delete YOUR-USER-NAME

Creating UAA Clients for Ops Manager

If you want to automate aspects of Ops Manager, Pivotal recommends using a UAA client account to configure automation for Ops Manager. A user account can configure automated components, but client accounts are not bound to authentication protocols the way imported or new user accounts can be. A user account that controls automated components can cause those components to fail if the account experiences inconsistent availability due to permission or authentication issues.

Logging in to UAAC as an Admin

In order to configure a client, you must first log in to UAAC as an admin. You can use one of the following two methods to authenticate to UAAC.

Authenticate via SAML or SSO

If you’re using SAML or SSO, authenticate to UAAC by entering these commands:

  1. Target your UAA server and log in as an admin:

uaac target https://YOUR-OPSMAN-DOMAIN/uaa uaac token sso get

  1. When prompted, enter the Client ID and passcode. Leave the client secret blank.

Client ID: opsman Client secret: Passcode (from http://YOUR-OPSMAN-DOMAIN/uaa/passcode): YOUR-UAA-PASSCODE

Authenticate via LDAP

If you’re not using SAML or SSO, authenticate to UAAC by entering these commands:

  1. Target your UAA server and log in as an admin:

uaac target https://YOUR-OPSMAN-DOMAIN/uaa uaac token owner get

  1. When prompted, enter the Client ID, your username, and your password. Leave the client secret blank.

Client ID: opsman Client secret: 
User name: admin
 Password: *****


  1. A message appears confirming that UAAC has Successfully fetched token.

You have successfully authenticated to UAAC as an admin. Next, you’ll create the client.

Creating a Client

After you authenticate to UAAC, create aclient to manage automated components and tasks. Use the following command to create a client with role-based permissions, an ID, and an authentication secret:

$ uaac client add CLIENT-ID --authorized_grant_types client_credentials --authorities opsman.admin --secret CLIENT-SECRET

The opsman.admin authorities referenced in the example above grant specific permissions to the client. You can choose which permissions you wish the client to have by assigning a different role. For more information about Ops Manager roles and what they do, see Understanding Roles in Ops Manager.

Create a pull request or raise an issue on the source for this page in GitHub