Identity Management in the Management Console

Note: As of v1.8, Enterprise PKS has been renamed to VMware Tanzu Kubernetes Grid Integrated Edition. Some screenshots in this documentation do not yet reflect the change.

Page last updated:

On vSphere, you can add individual users or user groups to Tanzu Kubernetes Grid Integrated Edition Management Console. You can assign roles to individual users or to groups. If you assign a role to a group, all of the users in that group have that role.

For information about the roles that you can assign, see UAA Scopes for Tanzu Kubernetes Grid Integrated Edition Users.

For information about the tasks that Cluster Managers can perform, see Tanzu Kubernetes Grid Integrated Edition Architecture. The TKGI Administrator role allows users to manage the Tanzu Kubernetes Grid Integrated Edition infrastructure.

Add Individual Users

The procedure to add individual users to Tanzu Kubernetes Grid Integrated Edition Management Console is as follows.

Note: This release of Tanzu Kubernetes Grid Integrated Edition Management Console does not support assigning roles to individual LDAP or SAML users. To assign roles to LDAP or SAML users, use user groups.

  1. Go to the Identity Management view of the management console.
  2. Select the Users tab.

    Add users View a larger version of this image

  3. Click Add User.

  4. Enter a user name and enter and verify a password to create a new user account.

    Add a new UAA user

  5. Assign a role to the user.

    • pks.clusters.manage: Accounts with this scope can create and access their own clusters.
    • pks.clusters.admin: Accounts with this scope can create and access all clusters.
    • pks.clusters.admin.read: Accounts with this scope can access any information about all clusters except for cluster credentials.
  6. Click Save.

  7. If you do not assign a role to a user when you create or add the account, or to change a user’s role, select the user in the Users tab, and select Assign Role.

Add User Groups

The procedure to add user groups to Tanzu Kubernetes Grid Integrated Edition Management Console is as follows.

  1. Go to the Identity Management view of the management console.
  2. Select the Groups tab.

    Add users View a larger version of this image

  3. Click Add Group.

  4. Enter an existing LDAP or SAML user group.

    • LDAP: Enter the distinguished name of an existing LDAP group under the configured group search base, for example cn=admins,ou=engineering,dc=username,dc=local.
    • SAML: Enter the name of your SAML identity provider group.
  5. Assign a role to the group.

    • pks.clusters.manage: Accounts with this scope can create and access their own clusters.
    • pks.clusters.admin: Accounts with this scope can create and access all clusters.
    • pks.clusters.admin.read: Accounts with this scope can access any information about all clusters except for cluster credentials.

    Add a new UAA user

  6. Click Save.

Note: You must assign a role to a group when you add it. You cannot assign, change, or revoke a group role after you have added the group.

Remove Individual Users

The procedure to remove individual users from Tanzu Kubernetes Grid Integrated Edition Management Console is as follows.

  1. Go to the Identity Management view of the management console.
  2. Select the Users tab.
  3. Select a user.
  4. Click Remove User.

Remove User Groups

The procedure to remove individual users from Tanzu Kubernetes Grid Integrated Edition Management Console is as follows.

  1. Go to the Identity Management view of the management console.
  2. Select the Groups tab.
  3. Select a group.
  4. Click Remove Group.

Next Steps


Please send any feedback you have to pks-feedback@pivotal.io.