Configuring Role-Based Access Control (RBAC) in Ops Manager

Page last updated:

This topic describes how to customize role-based access control (RBAC) in Pivotal Operations Manager.

Overview

You can use RBAC to manage which operators in your organization can make deployment changes, view credentials, and manage user roles in Ops Manager.

For information about configuring Ops Manager to use internal authentication or SAML authentication, see the BOSH Manager configuration topic for your IaaS:

Roles in Ops Manager

The diagram below illustrates the roles you can assign to determine which operators in your organization make deployment changes, view credentials, and manage user roles in Ops Manager:

Ops Manager roles diagram

Ops Manager admins can use these roles to meet the security needs of their organization. The roles provide a range of privileges that are appropriate for different types of users. For example, assign either Restricted Control or Restricted View to an operator to prevent access to all Ops Manager credentials.

For more information about each role, see the table below:

Ops Manager Role Role Definition UAA Scope
Ops Manager Administrator Admins can make configuration changes and click Review Pending Changes and Apply Changes in Ops Manager, view credentials in the Credentials tab and Ops Manager API endpoints, change the authentication method, and assign roles to other operators. opsman.admin
Full Control Operators can make configuration changes and click Review Pending Changes and Apply Changes in Ops Manager, and view credentials in the Credentials tab and Ops Manager API endpoints. opsman.full_control
Restricted Control Operators can make configuration changes and click Review Pending Changes and Apply Changes in Ops Manager. They cannot view credentials in the Credentials tab or Ops Manager API endpoints. opsman.restricted_control
Full View Operators can view Ops Manager configuration settings and view credentials in the Credentials tab and Ops Manager API endpoints. They cannot make configuration changes or click Apply Changes. opsman.full_view
Restricted View Operators can view Ops Manager configuration settings. They cannot make configuration changes or view credentials in the Credentials tab or Ops Manager API endpoints. opsman.restricted_view

To assign one of the above roles to an operator, see Manage Roles with Internal Authentication or Manage Roles with SAML Authentication.

When you install a new Ops Manager instance, all existing users have the Ops Manager Administrator role by default.

Simultaneous Ops Manager Admins

Ops Manager allows multiple admins to log in to Ops Manager simultaneously and make changes.

The interface does not provide visibility to other admins that are logged in. Pivotal recommends that admins communicate with each other and coordinate their changes.

Precedence for Apply Changes

Only one deployment takes precedence when two admins try to deploy around the same time.

If two admins are working at the same time, the admin who first clicks Apply Changes takes precedence. Ops Manager overwrites all configurations made by other admins during deployment.

Pivotal recommends coordinating changes between admins to avoid overwriting configurations.

Note: If you are having deployment issues or changes to your Ops Manager are not persisting correctly, confirm that your work is not conflicting with an automated admin.

Enable RBAC in Ops Manager After Upgrade

When you install a new instance of Ops Manager, RBAC is permanently enabled by default.

If your organization has operators who are devoted to managing certain services like MySQL for Pivotal Platform, you can use RBAC to assign those services operators a more restricted role.

If you upgrade from an older Ops Manager instance, you must enable RBAC and assign roles to users before they can access Ops Manager. If you do not assign any roles to a user, they cannot log in to Ops Manager.

Warning: Do not assign roles before you enable RBAC.

Enable RBAC with Internal Authentication

If you are upgrading from an older version of Ops Manager and use internal authentication:

  1. Log in to the Ops Manager Installation Dashboard.

  2. From the user account menu, click Settings.

  3. Click Advanced.

  4. Click Enable RBAC. When the confirmation dialog box appears, click Confirm and Logout.

    Notes:
    • Enabling RBAC is permanent. You cannot undo this action. When you upgrade Ops Manager, your RBAC settings remain configured.
    • This dialog box does not appear if RBAC is already configured. With new instances of Ops Manager, RBAC is permanently configured by default.

Enable RBAC with SAML Authentication

If you are upgrading from an older version of Ops Manager and use SAML authentication, follow the procedures in these sections to enable RBAC. To enable RBAC in Ops Manager when using SAML authentication, you must configure groups in SAML for admins and non-admins and then map the admin group to Ops Manager.

Step 1: Configure SAML Groups

To gather information from your SAML dashboard:

  1. Log in to your SAML provider dashboard.

  2. Create or identify the name of the SAML group that contains Ops Manager admin users.

  3. Identify the groups attribute tag you configured for your SAML server.

Step 2: Enable RBAC in Ops Manager

Follow the procedure in Enable RBAC with Internal Authentication to configure Ops Manager to recognize your SAML admin user group.

Note: When RBAC is enabled, only users with the Ops Manager Administrator role can edit SAML configuration.

Create User Accounts in Ops Manager

To assign RBAC roles to operators, you must first create user accounts for them. For more information about creating user accounts in Ops Manager with the User Account and Authentication (UAA) module, see Creating and Managing Ops Manager User Accounts.

In addition to user accounts, you can create a client account to add to Ops Manager. Client accounts manage automation tasks, such as upgrade scripts, log management, and other behaviors that might be negatively impacted if managed by a user account. You can add a client account either before initial deployment or to an existing deployment.

For more information about client accounts, see Creating and Managing Ops Manager User and Client Accounts.

Manage RBAC Roles in Ops Manager

You can assign the roles defined in Roles in Ops Manager to determine which operators in your organization make deployment changes, view credentials, and manage user roles in Ops Manager.

Manage Roles with Internal Authentication

If you configured Ops Manager to use internal authentication, you can configure roles using the UAA Command Line Interface (UAAC). For more information, see Creating and Managing Users with the UAA CLI (UAAC).

To use the UAAC to configure roles:

  1. Target your UAA server and log in as an admin by running:

    uaac target https://OPS-MANAGER-DOMAIN/uaa
    uaac token owner get
    

    Where OPS-MANAGER-DOMAIN is the domain of your Ops Manager deployment.

  2. When prompted, enter these credentials, leaving Client secret blank:

    Client ID: opsman
    Client secret:
    User name: USERNAME
    Password: PASSWORD
    

    Where:

    • USERNAME is your username.
    • PASSWORD is your password.
  3. To assign a role to a user, run one of these commands:

    • Ops Manager Administrator:

      uaac member add opsman.admin USERNAME
      

      Where USERNAME is the user to which you want to assign the role.

    • Full Control:

      uaac member add opsman.full_control USERNAME
      

      Where USERNAME is the user to which you want to assign the role.

    • Restricted Control:

      uaac member add opsman.restricted_control USERNAME
      

      Where USERNAME is the user to which you want to assign the role.

    • Full View:

      uaac member add opsman.full_view USERNAME
      

      Where USERNAME is the user to which you want to assign the role.

    • Restricted View:

      uaac member add opsman.restricted_view USERNAME
      

      Where USERNAME is the user to which you want to assign the role.

Manage Roles with SAML Authentication

If you configured Ops Manager with SAML authentication, you can assign non-admin user roles using UAAC. To assign non-admin user roles:

  1. Target your UAA server and log in as an admin by running:

    uaac target https://OPS-MANAGER-DOMAIN/uaa
    uaac token sso get
    

    Where OPS-MANAGER-DOMAIN is the domain of your Ops Manager deployment.

  2. When prompted, enter Client ID and Passcode, leaving Client secret blank:

    Client ID: opsman
    Client secret:
    Passcode: UAA-PASSCODE
    

    Where UAA-PASSCODE is the passcode you retrieved in the previous step.

  3. Run:

    uaac group map SAML-GROUP --name 'OPS-MANAGER-SCOPE' --origin 'saml'
    

    Where:

    • SAML-GROUP is the name of the SAML group to which the user belongs.
    • OPS-MANAGER-SCOPE is the Ops Manager UAA scope you want to assign to the user. To determine which UAA scope to use, see the table in Roles in Ops Manager.
  4. Add new and existing users to the appropriate SAML groups in the SAML provider dashboard. Users must log out of both Ops Manager and the SAML provider for role changes to take effect.

Manage Roles with LDAP Authentication

If you configured Ops Manager with LDAP authentication, you can assign non-admin user roles using UAAC. To assign non-admin user roles:

  1. Target your UAA server and log in as an admin by running:

    uaac target https://OPS-MANAGER-DOMAIN/uaa
    uaac token sso get
    

    Where OPS-MANAGER-DOMAIN is the domain of your Ops Manager deployment.

  2. When prompted, enter Client ID and Passcode, leaving Client secret blank:

    Client ID: opsman
    Client secret:
    Passcode: UAA-PASSCODE
    

    Where UAA-PASSCODE is the passcode you retrieved in the previous step.

  3. Run:

    uaac group map LDAP-GROUP --name 'OPS-MANAGER-SCOPE'
    

    Where:

    • LDAP-GROUP is the name of the LDAP group to which the user belongs.
    • OPS-MANAGER-SCOPE is the Ops Manager UAA scope you want to assign to the user. To determine which UAA scope to use, see the table in Roles in Ops Manager.
  4. Add new and existing users to the appropriate LDAP groups in the LDAP provider dashboard. Users must log out of both Ops Manager and the LDAP provider for role changes to take effect.