Configuring Role-Based Access Control (RBAC) in Ops Manager
Page last updated:
This topic describes how to customize role-based access control (RBAC) in Ops Manager. Use RBAC to manage which operators in your organization can make deployment changes, view credentials, and manage user roles in Ops Manager.
For information about configuring Ops Manager to use internal authentication or SAML authentication, see the Ops Manager configuration topic for your IaaS:
- Configuring BOSH Director on AWS
- Configuring BOSH Director on Azure Manually
- Configuring BOSH Director on GCP
- Configuring BOSH Director on OpenStack
- Configuring BOSH Director on vSphere
You can assign the following roles to determine which operators in your organization make deployment changes, view credentials, and manage user roles in Ops Manager:
Ops Manager administrators can use the roles defined in the diagram above to meet the security needs of their organization. The roles provide a range of privileges that are appropriate for different types of users. For example, assign either Restricted Control or Restricted View to an operator to prevent access to all Ops Manager credentials.
See the following table for more information about each role:
|Ops Manager Role||Role Definition||UAA Scope|
|Ops Manager Administrator||Administrators can make configuration changes and click Review Pending Changes and Apply Changes in Ops Manager, view credentials in the Credentials tab and Ops Manager API endpoints, change the authentication method, and assign roles to other operators.||
|Full Control||Operators can make configuration changes and click Review Pending Changes and Apply Changes in Ops Manager, and view credentials in the Credentials tab and Ops Manager API endpoints.||
|Restricted Control||Operators can make configuration changes and click Review Pending Changes and Apply Changes in Ops Manager. They cannot view credentials in the Credentials tab or Ops Manager API endpoints.||
|Full View||Operators can view Ops Manager configuration settings and view credentials in the Credentials tab and Ops Manager API endpoints. They cannot make configuration changes or click Apply Changes.||
|Restricted View||Operators can view Ops Manager configuration settings. They cannot make configuration changes or view credentials in the Credentials tab or Ops Manager API endpoints.||
When you install a new Ops Manager instance, all existing users have the Ops Manager Administrator role by default.
Ops Manager allows multiple administrators to log in to Ops Manager simultaneously and make changes.
The interface does not provide visibility to other administrators that are logged in. Pivotal recommends that administrators communicate with each other and coordinate their changes.
Only one deployment takes precedence when two administrators try to deploy around the same time.
If two administrators are working at the same time, the administrator who first clicks Apply Changes takes precedence. Ops Manager overwrites all configurations made by other administrators during deployment.
Pivotal recommends coordinating changes between administrators to avoid overwriting configurations.
Note: If you are having deployment issues or changes to your Ops Manager are not persisting correctly, confirm that your work is not conflicting with an automated administrator.
When you install a new instance of Ops Manager, RBAC is permanently enabled by default.
If your organization has operators who are devoted to managing certain services like MySQL for PCF, you can use RBAC to assign those services operators a more restricted role.
If you upgrade from an older Ops Manager instance, you must enable RBAC and assign roles to users before they can access Ops Manager. If you do not assign any roles to a user, they cannot log in to Ops Manager.
WARNING: Do not assign roles before you enable RBAC.
If you are upgrading from an older version of Ops Manager and use internal authentication, do the following to enable RBAC:
Log in to the Ops Manager dashboard.
Click Settings from the user account menu.
Click Enable RBAC. When the confirmation dialog box appears, click Confirm and Logout.Notes:
- Enabling RBAC is permanent. You cannot undo this action. When you upgrade Ops Manager, your RBAC settings remain configured.
- You will not see this dialog box if RBAC is already configured. With new instances of Ops Manager, RBAC is permanently configured by default.
If you are upgrading from an older version of Ops Manager and use SAML authentication, perform the steps in this section to enable RBAC. To enable RBAC in Ops Manager when using SAML authentication, you must configure groups in SAML for admins and non-admins and then map the admin group to Ops Manager.
To gather information from your SAML dashboard, do the following:
Log in to your SAML provider dashboard.
Create or identify the name of the SAML group that contains Ops Manager admin users.
Identify the groups attribute tag you configured for your SAML server.
Perform the steps above in Enable RBAC with Internal Authentication to configure Ops Manager to recognize your SAML admin user group.
Note: When RBAC is enabled, only users with the Ops Manager Administrator role can edit SAML configuration.
To assign RBAC roles to operators, you must first create user accounts for them. For more information about creating user accounts in Ops Manager with the User Account and Authentication (UAA) module, see Creating and Managing Ops Manager User Accounts.
In addition to user accounts, you can create a client account to add to Ops Manager. Client accounts manage automation tasks, such as upgrade scripts, log management, and other behaviors that might be negatively impacted if managed by a user account. You can add a client account either before initial deployment or to an existing deployment.
For more information about client accounts, see Creating and Managing Ops Manager User and Client Accounts.
You can assign the roles defined in Roles in Ops Manager to determine which operators in your organization make deployment changes, view credentials, and manage user roles in Ops Manager.
If you configured Ops Manager to use internal authentication, do the following to configure roles using the UAA Command Line Interface (UAAC):
Target your UAA server and log in as an admin:
uaac target https://YOUR-OPSMAN-DOMAIN/uaa uaac token owner get
When prompted, enter the following credentials. Enter
opsmanfor Client ID and leave Client secret blank, then enter your username and password:
Client ID: opsman Client secret: User name: USERNAME Password: YOUR-PASSWORD
Assign one of the following roles to a user, replacing
USERNAMEwith their username.
- Ops Manager Administrator:
uaac member add opsman.admin USERNAME
- Full Control:
uaac member add opsman.full_control USERNAME
- Restricted Control:
uaac member add opsman.restricted_control USERNAME
- Full View:
uaac member add opsman.full_view USERNAME
- Restricted View:
uaac member add opsman.restricted_view USERNAME
- Ops Manager Administrator:
If you configured Ops Manager with SAML authentication, do the following to assign non-admin user roles using UAAC:
Target your UAA server and log in as an admin:
uaac target https://YOUR-OPSMAN-DOMAIN/uaa uaac token sso get
When prompted, enter Client ID and Passcode, leaving Client secret blank:
Client ID: opsman Client secret: Passcode (from http://YOUR-OPSMAN-DOMAIN/uaa/passcode): YOUR-UAA-PASSCODE
Run the following command:
uaac group map SAML-GROUP --name 'OPSMAN-SCOPE' --origin 'saml'Replace the placeholder text as follows:
SAML-GROUP: Replace with name of the SAML group the user belongs to.
OPSMAN-SCOPE: Replace with an Ops Manager UAA scope. See the table in Understand Roles in Ops Manager to determine which UAA scope to use.
Add new and existing users to the appropriate SAML groups in the SAML provider dashboard. Users must log out of both Ops Manager and the SAML provider for role changes to take effect.