Configuring Role-Based Access Control (RBAC) in Ops Manager
Page last updated:
This topic describes how to customize role-based access control (RBAC) in Ops Manager. Use RBAC to manage which operators in your organization can make deployment changes, view credentials, and manage user roles in Ops Manager.
For information about configuring Ops Manager to use internal authentication or SAML authentication, see the Ops Manager configuration topic for your IaaS:
- Configuring Ops Manager on AWS
- Configuring Ops Manager on Azure
- Configuring Ops Manager on GCP
- Configuring Ops Manager on OpenStack
- Configuring Ops Manager on vSphere
You can assign the following roles to determine which operators in your organization make deployment changes, view credentials, and manage user roles in Ops Manager:
Ops Manager administrators can use the roles defined in the diagram above to meet the security needs of their organization. The roles provide a range of privileges that are appropriate for different types of users. For example, assign either Restricted Control or Restricted View to an operator to prevent access to all Ops Manager credentials.
See the following table for more information about each role:
|Ops Manager Role||Role Definition||UAA Scope|
|Ops Manager Administrator||Administrators can make configuration changes and click Review Pending Changes and Apply Changes in Ops Manager, view credentials in the Credentials tab and Ops Manager API endpoints, change the authentication method, and assign roles to other operators.||
|Full Control||Operators can make configuration changes and click Review Pending Changes and Apply Changes in Ops Manager, and view credentials in the Credentials tab and Ops Manager API endpoints.||
|Restricted Control||Operators can make configuration changes and click Review Pending Changes and Apply Changes in Ops Manager. They cannot view credentials in the Credentials tab or Ops Manager API endpoints.||
|Full View||Operators can view Ops Manager configuration settings and view credentials in the Credentials tab and Ops Manager API endpoints. They cannot make configuration changes or click Apply Changes.||
|Restricted View||Operators can view Ops Manager configuration settings. They cannot make configuration changes or view credentials in the Credentials tab or Ops Manager API endpoints.||
When you install a new Ops Manager instance, all existing users have the Ops Manager Administrator role by default.
Ops Manager allows multiple Ops Manager Administrators to log in simultaneously. Administrators can make changes to and deploy Ops Manager to change its components and behavior.
There is no maximum number of Administrators that can log into Ops Manager simultaneously.
There are no functionality restrictions placed on Administrators who are logged in simultaneously. Multiple Administrators can reconfigure the same fields at the same time. If you intend to have two or more Administrators reconfiguring the same fields, coordinate their planned actions so they do not accidentally overwrite each other’s work.
However, only one deploy can occur at a time. If one Administrator clicks Apply Changes, all other attempts to deploy will fail until the deploy currently in progress completes.
For example: User A and User B both authenticate as Ops Manager Administrators and access the same Ops Manager instance at the same time. User A reconfigures a field in the Syslog pane of the BOSH Director, clicks Save, and clicks Apply Changes to deploy the BOSH Director. User A’s deploy initiates.
Two minutes later, User B reconfigures a field in the Syslog pane of the BOSH Director, clicks Save, and clicks Apply Changes to deploy. User B is unable to initiate a deploy because the deploy User A initiated is already in progress. User B must wait for User A’s deploy to complete before they can click Apply Changes.
Furthermore, if User B attempts to change Ops Manager fields while User A’s deploy is in progress, User B’s changes will be erased when User A’s deploy completes successfully. User B must wait until no deploy is taking place before making changes and redeploying.
Note: Some Ops Manager Administrators configure external apps to modify their Ops Manager instances. For example, continuous integration and deployment (CI/CD) pipelines can have their own Administrator accounts. These apps have Administrator user privileges identical to human Administrator user accounts. A human Administrator’s actions can be delayed or overwritten by an automated Administrator. Similarly, an automated Administrator’s actions can be delayed or overwritten by a human Administrator. If you are having deployment issues or changes to your Ops Manager are not persisting correctly, confirm that your work is not conflicting with that of an automated Administrator.
When you install a new instance of Ops Manager, RBAC is permanently enabled by default.
If your organization has operators who are devoted to managing certain services like MySQL for PCF, you can use RBAC to assign those services operators a more restricted role.
If you upgrade from an older Ops Manager instance, you must enable RBAC and assign roles to users before they can access Ops Manager. If you do not assign any roles to a user, they cannot log in to Ops Manager.
WARNING: Do not assign roles before you enable RBAC.
If you are upgrading from an older version of Ops Manager and use internal authentication, do the following to enable RBAC:
Log in to the Ops Manager dashboard.
Click Settings from the user account menu.
Click Enable RBAC. When the confirmation dialog box appears, click Confirm and Logout.Notes:
- Enabling RBAC is permanent. You cannot undo this action. When you upgrade Ops Manager, your RBAC settings remain configured.
- You will not see this dialog box if RBAC is already configured. With new instances of Ops Manager, RBAC is permanently configured by default.
If you are upgrading from an older version of Ops Manager and use SAML authentication, perform the steps in this section to enable RBAC. To enable RBAC in Ops Manager when using SAML authentication, you must configure groups in SAML for admins and non-admins and then map the admin group to Ops Manager.
To gather information from your SAML dashboard, do the following:
Log in to your SAML provider dashboard.
Create or identify the name of the SAML group that contains Ops Manager admin users.
Identify the groups attribute tag you configured for your SAML server.
Perform the steps above in Enable RBAC with Internal Authentication to configure Ops Manager to recognize your SAML admin user group.
Note: When RBAC is enabled, only users with the Ops Manager Administrator role can edit SAML configuration.
To assign RBAC roles to operators, you must first create user accounts for them. For more information about creating user accounts in Ops Manager with the User Account and Authentication (UAA) module, see Creating and Managing Ops Manager User Accounts.
You can assign the roles defined in Understanding Roles in Ops Manager to determine which operators in your organization make deployment changes, view credentials, and manage user roles in Ops Manager.
If you configured Ops Manager to use internal authentication, do the following to configure roles using the UAA Command Line Interface (UAAC):
Target your UAA server and log in as an admin:
uaac target https://YOUR-OPSMAN-DOMAIN/uaa uaac token owner get
When prompted, enter the following credentials. Enter
opsmanfor Client ID and leave Client secret blank, then enter your username and password:
Client ID: opsman Client secret: User name: USERNAME Password: YOUR-PASSWORD
Assign one of the following roles to a user, replacing
USERNAMEwith their username.
- Ops Manager Administrator:
uaac member add opsman.admin USERNAME
- Full Control:
uaac member add opsman.full_control USERNAME
- Restricted Control:
uaac member add opsman.restricted_control USERNAME
- Full View:
uaac member add opsman.full_view USERNAME
- Restricted View:
uaac member add opsman.restricted_view USERNAME
- Ops Manager Administrator:
If you configured Ops Manager with SAML authentication, do the following to assign non-admin user roles using UAAC:
Target your UAA server and log in as an admin:
uaac target https://YOUR-OPSMAN-DOMAIN/uaa uaac token sso get
When prompted, enter Client ID and Passcode, leaving Client secret blank:
Client ID: opsman Client secret: Passcode (from http://YOUR-OPSMAN-DOMAIN/uaa/passcode): YOUR-UAA-PASSCODE
Run the following command:
uaac group map SAML-GROUP --name 'OPSMAN-SCOPE' --origin 'external-saml-provider'Replace the placeholder text as follows:
SAML-GROUP: Replace with name of the SAML group the user belongs to.
OPSMAN-SCOPE: Replace with an Ops Manager UAA scope. See the table in Understand Roles in Ops Manager to determine which UAA scope to use.
Add new and existing users to the appropriate SAML groups in the SAML provider dashboard. Users must log out of both Ops Manager and the SAML provider for role changes to take effect.