Skip navigation
2015

Tomas Baublys's Blog

December 2015 Previous month Next month

In short: we will create a new Role to view dashboards, assign this role to the new db-group and create a db-user. The goal is to create a user who is able to log in and see only assigned dashboards (privilege) which would display only display the part of the environment this user is entitled to see (access permissions).

We will also need to remove and hide  three default dashboards from being assigned to each new user.

1. Creating a role, a group and a local user

In order to create a role, go to Administration -> Access Control -> Roles and hit the + icon:

creating-a-role--a-group-and-a-local-user.png

1.1 Create a new db-viewer role

create-a-new-db-viewer-role.png

1.2 Edit the role:

Once you saved the new role, select it and press the pencil "Permissions"

edit-the-role--.png

1.3 Assign permission to login to the db-viewer role:

Administration -> Login Interactively

assign-permission-to-login-to-the-db-viewer-role--.png

1.4 Assign permission to "View Dashboard Homepage" to the db-viewer role:

assign-permission-to--view-dashboard-homepage--to-the-db-viewer-role--.png

2. Create a new db-group (user group)

Go to Administration -> Access Control -> User groups create a group called db-group

Assing the role of db-viewer to this group and select applicable objects (in my case a vcenter vcInf-01) . You will be able to select objects only after you checked "Assign this role to the group" box.

create-a-new-db-viewer-role.png

2.1 Create db-user01

Go to Administration -> Access Control -> User Accounts

create-db-user01-.png

2.2 Add  db-user01 to db-group

add--db-user01-to-db-group.png

3. Unshare all dashboards shared to "Everyone"

We want to get rid of the dashboard which are shared to "Everyone" by default. Just log in as admin, go to Content -> Dashboards

unshare-all-dashboards-shared-to--everyone-.png

3.1 Select and un-share

Select all the shared dashboards (Click + Shift will allow to select multiple). In the example below I have 50 dashboards shared to "Everyone" and I will un-share all of them in order to share a specific dashboard later on. You may need to go through multiple pages (as sorting is not implemented in this dialog) and select the shared dashboards on the subsequent pages. Don't forget to press "Save" button!

select-and-un-share.png

3.3 Result of un-sharing

In the result the sharing view should display 0 for everyone.

result-of-un-sharing.png

3.4 Assign a test dashboard to db-group

Go to Content -> Dashboards and drag and drop the dashboard on the db-group. Save!

assign-a-test-dashboard-to-db-group.png

5. Log in as db-user01

And surprisingly you will not only see the assigned dashboard but also the three default dashboards (Recommendations, Diagnose and Self Health)

Beside of that annoyance, assigning the dashboard and limiting user rights and permissions works as expected. We will get rid of the default dashboards in the next steps.

log-in-as-db-user01.png

6. Remove default dashboards (Recommendations, Diagnose and Self Health) for the group

There is a KB Article explaining in detail how to get rid of the three default dashboards. Basically it involves two steps : prevent those dashboards to be copied to any new users (on first log in) and remove or hide the dashboards from existing users. Both steps have to be done on command line, so you have to log in to your vR Ops through console or SSH (ssh has to be enabled first).

http://kb.vmware.com/kb/2133879

6.1 Preventing dashboards to be copied for new users

vrops01-prod:~ # mv /usr/lib/vmware-vcops/tomcat-web-app/webapps/vcops-web-ent/dashboards/ootb/All.json /root/All.json.$(date +%F)

This will move All.json default dashboards to /root and prevent the copying of it for each new user log in.

6.2 Hiding dashboards from existing groups / users

1) Change to the opscli directory

 cd /usr/lib/vmware-vcops/tools/opscli/

2) Run a command:

vrops01-prod:/usr/lib/vmware-vcops/tools/opscli # ./ops-cli.sh dashboard hide group:db-group all
Starting vRealize Operations CLI 2015-12-11 12:28:36,128 Starting command Command: dashboard:hide 2015-12-11 12:28:36,147 Connecting to server 2015-12-11 12:28:40,008 Try to login with maintenanceAdmin SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. 2015-12-11 12:28:40,074 Successfully logged in. 2015-12-11 12:28:40,075 Successfully connected to server 2015-12-11 12:28:40,132 Successfully hiden dashboard all for user [db-group]. The configuration transformation will be scheduled in background. 2015-12-11 12:28:40,132 Triggered Command: dashboard:hide

7. Finally: user db-user01  sees the assigned dashboard only!

Log out and log in again as db-user01 and enjoy! You should only see the dashboard assigned and nothing else...

finally--user-db-user01--sees-the-assigned-dashboard-only-.png