Monday, July 3, 2017

vRealize Log Insight - Role Based Access Control


Role Based Access Control let system administrators control user access to vRealize Log Insight. This post talks about the configuring RBAC with vRealize Log Insight and using it control the access to sections of vRLI UI.

RBAC can be configured with local users, as well with some central identity source (like Active Directory) based users as well 

vRLI used to offer integration using vIDM and direct Active Directory till v4.3. 
From v4.5 onwards AD integration is deprecated. The option is still available but for users to transition from AD to vIDM integration.





Once you have Authentication configured, jump to Administration->Management->Access Control




3 sections are available here



Users and Groups : Create/Add users and group in this section and map them to an predefined role.



Roles: Roles are collections of permission and data sets that can be associated with users/groups. Roles provide a convenient way to package all the permissions required to perform a task. One user can be assigned multiple roles. 
The section is divided in Administration and Analytics controls. Depending on what kind of view would you want to expose to the user, choose an appropriate option.



Data Sets: Data sets consists of a set of filters. Data sets is used to provide users with access to specific content by associating a data set with a role.




One of a constant ask is to have a selective Content Pack Dashboard view (Hiding all other Dashboards other than given access to). This is currently unavailable, in case you have a requirement please share your vote for the Feature Request on loginsight.vmware.com





A quick example of implementation of the Role Based Access control for demo...

I am currently logged in a AD user account (puneeta) which is mapped to a Super Admin Role, hence i have access to all the Dashboards, Interactive Analytics page. Plus i can do all editing as well.





Note how i can see all the events from various hostnames with a Super Admin privileged account. 

Next i create a new Role (NSX Dashboard Access). The role has "View only"privilege limited to "Dashboards" only. Next i mapped it to a local user account (test). 
Also the "NSX Dashboard Access" role has a mapped Data set which filters NSX hostnames only.



  
Now once i log in with the test user what is see is only Dashboard tab, and event populated with NSX hostname only, for the same view as above.




While rest all Dashboard UI are showing up, but will not have any data unless its linked to the Data set query.



No comments:

Post a Comment