Differences Between Original and VMware Cloud Services Subscriptions

Learn about the functionality differences between Tanzu Observability original subscriptions and VMware Cloud services subscriptions.

VMware Tanzu Observability (formerly known as VMware Aria Operations for Applications) subscriptions are two types: original subscriptions and VMware Cloud Services subscriptions.

Examples of the Functionality Differences

Users, Roles, and Group Management

Most of the user and account management tasks done in the Tanzu Observability UI for original subscriptions, are done in the VMware Cloud services for VMware Cloud services subscriptions. For example, the following tasks related to managing users, roles, and groups can be done from the VMware Cloud Services Console.

Invite new users
Assign permissions
Create and edit roles
Create and edit groups
Assign roles to users and groups

A graphic showing the differences in the user and account management tasks for original and onboarded subscriptions. The information displayed is already described in the above bullet list.

Admin Tasks

Some administrative tasks, done by Super Admins and users with the Accounts permission in original subscriptions, are done by VMware Cloud Organization Owners and VMware Cloud Organization Administrators in VMware Cloud services subscriptions. Others can be done by Tanzu Observability Admins in the Tanzu Observability UI.

With the 2023-38 release, we introduce the Admin permission and service role, which partially correspond to the Accounts permission for original subscriptions. Users with the Admin service role can manage service accounts and Tanzu Observability API tokens. They can also restrict access to new dashboards and alerts and set the organization settings. For example, they can restrict the access to the object creator only and set default settings, such as display settings, PromQL support, default way of building queries, and define Logs settings.

Warning: Service accounts and the API tokens associated with them will be deprecated in the future. It’s strongly recommended that you incrementally switch to using server to server OAuth apps which authenticate with more secure VMware Cloud services access tokens. For information on how to do this, see How to Replace a Service Account with a Server to Server App?.

A graphic showing the differences in the admin tasks for original and onboarded subscriptions. The information displayed is described in the table below.

Task	Original Subscription	VMware Cloud Services Subscription
Upgrade from trial	Who: Tanzu Observability Super Admin Where: From the Tanzu Observability UI	Who: Users with the Tanzu Observability Super Admin service role Where: From the Tanzu Observability UI
Purchase more PPS	Who: Tanzu Observability Super Admin Where: From the Tanzu Observability UI	Who: Users with the Tanzu Observability Super Admin service role Where: From the Tanzu Observability UI
Invite new Super Admins	Who: Tanzu Observability Super Admin Where: In the Tanzu Observability UI	Who: VMware Cloud Organization Owner or Organization Administrator Where: In the VMware Cloud Services Console
Create and manage service accounts and their Tanzu Observability API tokens	Who: Tanzu Observability users with the Accounts permission Where: In the Tanzu Observability UI	Who: Users with the Tanzu Observability Admin service role Where: In the Tanzu Observability UI
Restore orphan dashboards and alerts	Who: Tanzu Observability Super Admin Where: In the Tanzu Observability UI	Who: Users with the Tanzu Observability Super Admin service role Where: In the Tanzu Observability UI
Restrict access to new dashboards and alerts	Who: Tanzu Observability users with the Accounts permission Where: In the Tanzu Observability UI	Who: Users with the Tanzu Observability Admin service role Where: In the Tanzu Observability UI
Set the service organization settings	Who: Tanzu Observability users with the Accounts permission Where: In the Tanzu Observability UI	Who: Users with the Tanzu Observability Admin service role Where: In the Tanzu Observability UI

REST API Access

For original subscriptions, using the Tanzu Observability REST API requires an API token associated with a user account or a service account. To generate API tokens for your user account you need the API Tokens permission. To generate API tokens for service accounts and to manage the API tokens in your Tanzu Observability organization, you need the Accounts permission.

When your service is onboarded to VMware Cloud services and you want to access the Tanzu Observability REST API, you need a VMware Cloud services access token. In a few cases, when setting up a limited list of integrations, authentication with a Tanzu Observability API token is also supported. However, using a VMware Cloud services access token is the recommended way as we will deprecate the service accounts in the future. To obtain an access token, you can:

Generate a VMware Cloud services API token associated with your user account and exchange it for an access token.
Create a server to server app (which is the equivalent of a service account), obtain its OAuth credentials (app ID and app secret), and exchange them for an access token.

In-Depth Explanation of the Functionality Differences

Functionality Original Subscription VMware Cloud Services Subscription

User Login Users log in to their Tanzu Observability service instance by using the URL of the service cluster, https://<your_instance>.wavefront.com, and their Tanzu Observability accounts. If their corporate domain is configured for SAML SSO with Tanzu Observability, users log in with their corporate accounts. Users log in to their Tanzu Observability service instance through the VMware Cloud Services Console with their VMware Cloud services accounts. If their corporate domain is federated with VMware Cloud services, users log in with their corporate accounts. For details, see Log In from the VMware Cloud Services Console.

User Accounts Management

Functionality	Original Subscription	VMware Cloud Services Subscription
User Login	Users log in to their Tanzu Observability service instance by using the URL of the service cluster, `https://<your_instance>.wavefront.com`, and their Tanzu Observability accounts. If their corporate domain is configured for SAML SSO with Tanzu Observability, users log in with their corporate accounts.	Users log in to their Tanzu Observability service instance through the VMware Cloud Services Console with their VMware Cloud services accounts. If their corporate domain is federated with VMware Cloud services, users log in with their corporate accounts. For details, see Log In from the VMware Cloud Services Console.
User Accounts Management	Who: Users with the Accounts permission. Where: In the Tanzu Observability user interface. How: You can invite new users with or without assigning roles and permissions. For details, see Manage User Accounts.	Who: Users with the VMware Cloud Organization Owner or Organization Administrator role. Where: In the VMware Cloud Services Console. How: To add a user to your Tanzu Observability service instance, you must assign that user: An organization role for the VMware Cloud organization running the service instance. At a minimum, you must assign the VMware Cloud Organization Member role. A Tanzu Observability service role for your service instance. At a minimum, you must assign the Viewer service role. Optionally, a custom role with one or more Tanzu Observability permissions. A custom role applies to all service instances for which the user has a Tanzu Observability service role. For details, see Manage User Accounts.
Service Accounts and Server to Server OAuth Apps Management	Note: Only service accounts are supported. Who: Users with the Accounts permission. Where: In the Tanzu Observability user interface. How: Service accounts authenticate with API tokens. Service accounts can be assigned with roles and permissions, as well as can be added to groups. For details, see Manage Service Accounts.	Note: Server to server OAuth apps are recommended and fully supported. Service accounts are with limited support and will be deprecated in the future. Who: For server to server OAuth apps, users with the VMware Cloud Organization Owner, Organization Administrator, or Organization Member with the Developer role assigned. For service accounts, users with the Admin Tanzu Observability service role. Where: For server to server OAuth apps, in the VMware Cloud Services Console. For service accounts, in the Tanzu Observability user interface. How: Server to server OAuth apps authenticate with VMware Cloud services access tokens that can be exchanged from their OAuth credentials. Server to server OAuth app can be assigned with organization roles, service roles, and custom roles, and can belong to one or more VMware Cloud organizations. For details, see Manage Server to Server Apps. Service accounts authenticate with Tanzu Observability API tokens. Service accounts can be assigned with permissions only, and cannot be added to groups. For details, see Manage Service Accounts.
Permissions Management	Who: Users with the Accounts permission. Where: In the Tanzu Observability user interface. How: Permissions can be assigned to roles as well as to individual user accounts and service accounts. See: Create a Role Grant or Revoke Account Permissions Explicitly Note: The permissions list includes the Accounts, SAML IdP Admin, and API token permissions, because they are required for all of the authorization and authentication tasks which are done in the Tanzu Observability. In addition, the Accounts permission grants privileges for managing the Tanzu Observability organization settings. See the Permissions Reference.	Who: For assigning permissions to roles, users with the VMware Cloud Organization Owner or Organization Administrator role. For assigning permissions to service accounts, users with the Admin Tanzu Observability service role. Where: For assigning permissions to roles, in the VMware Cloud Services Console. For assigning permissions to service accounts, in the Tanzu Observability user interface. How: Permissions can be assigned only to roles in the VMware Cloud services organization and service accounts - in the Tanzu Observability environment. See: Create, Edit, or Delete a Custom Role Grant or Revoke Permissions from a Service Account Note: The Accounts, SAML IdP Admin, and API token permissions don't exist, because most of the authorization and authentication tasks requiring these permissions are done in the VMware Cloud Services Console. The Admin Tanzu Observability permission grants privileges for managing service accounts, Tanzu Observability API tokens, and the Tanzu Observability organization settings. See the Tanzu Observability Permissions in VMware Cloud Services.
Roles Management	Who: Users with the Accounts permission. Where: In the Tanzu Observability user interface. How: Roles can be assigned with permissions. Roles can be assigned to user accounts, service accounts, and groups. For details, see Manage Roles and Permissions.	Who: Users with the VMware Cloud Organization Owner or Organization Administrator role. Where: In the VMware Cloud Services Console. How: Roles can be assigned with permissions. Roles can be assigned to users, groups, API tokens, and server to server apps. There are: Built-in Tanzu Observability service roles, which are not editable. Each Tanzu Observability permission is represented with a service role. In addition, the Super Admin and Viewer service roles grant full-administrative and view-only access, respectively. Custom roles can be created and assigned with permissions for one or more services. For details, see Manage Roles.
Groups Management	Who: Users with the Accounts permission. Where: In the Tanzu Observability user interface. How: A group of user and service accounts can be assigned with one or more roles. For details, see Create a Group.	Who: Users with the VMware Cloud Organization Owner or Organization Administrator role. Where: In the VMware Cloud Services Console. How: A group of users can be assigned with organization and service roles. A group can be shared with other VMware Cloud organizations. In a federated environment, you can add enterprise groups from your corporate domain. For details, see How do I work with groups in the VMware Cloud services documentation.
Self-Service SAML SSO	Who: Users with the SAML IdP Admin permission. Where: In the Tanzu Observability user interface. How: Tanzu Observability includes predefined authentication integrations. For details, see Single-Tenant Authentication and Self-Service SAML SSO.	Who: A user with the VMware Cloud Organization Owner role together with an Enterprise Administrator. Where: In the VMware Cloud Services Console. How: The VMware Cloud Organization Owner user kicks off the self-service federation workflow on behalf of the VMware Cloud organization and invites the Enterprise Administrator to complete the setup. For details, see Setting Up Enterprise Federation with VMware Cloud Services Console in the VMware Cloud services documentation.
Generating API Tokens	Note: Only Tanzu Observability API tokens are supported. Who: For API tokens associated with a user account, the corresponding user who must have the API Tokens permission. For API tokens associated with service accounts, the users with the Accounts permission. Where: In the Tanzu Observability user interface. How: A user with the API Tokens permission can generate Tanzu Observability API tokens for their own user account. The API tokens inherit all permissions that its associated user account owns. Users with the Accounts permission can generate Tanzu Observability API tokens for service accounts. The API tokens inherit the permissions of their associated service account. For details, see Manage API Tokens.	Note: It is recommended to use VMware Cloud services API tokens and server to server OAuth app credentials for obtaining VMware Cloud services access tokens. Tanzu Observability API tokens are with limited support and will be deprecated in a future release. Who: For VMware Cloud services API tokens associated with a user account, the corresponding user. For Tanzu Observability API tokens associated with service accounts, the users with the Admin Tanzu Observability service role. Where: For VMware Cloud services API tokens associated with a user account, in the VMware Cloud Services Console. For Tanzu Observability API tokens associated with service accounts, in the Tanzu Observability user interface. How: Each user can generate VMware Cloud services API tokens for their user account. An API token can be assigned with roles from the list of roles that the user owns - organization roles, service roles, and custom roles. For details and instructions, see How do I generate API tokens in the VMware Cloud services documentation. Users with the Admin service role can generate Tanzu Observability API tokens for service accounts. The API tokens inherit the permissions of their associated service account. For details, see Manage Service Accounts.
API Tokens Management	Who: For API tokens associated with a user account, the corresponding user. For all API tokens in the Tanzu Observability service instance, the users with the Accounts permission. Where: In the Tanzu Observability user interface. How: All users can view and revoke their own tokens. For details, see Generate and Manage the API Tokens for Your User Account. Users with the Accounts permission can view and revoke any API token in the service instance. For details, see View and Manage the API Tokens in Your Organization.	Who: For VMware Cloud services API tokens associated with a user account, the corresponding user. For all VMware Cloud services API tokens in the VMware Cloud organization, the users with the VMware Cloud Organization Owner role if the organization is activated for Identity Governance and Administration (IGA). For all Tanzu Observability API tokens (limited support), the users with the Admin Tanzu Observability service role. Where: For VMware Cloud services API tokens, in the Cloud Services Console. For Tanzu Observability API tokens (limited support), in the Tanzu Observability user interface. How: All users can view and revoke their own VMware Cloud services API tokens. For details, see How do I manage my API tokens in the VMware Cloud services documentation. Users with the VMware Cloud Organization Owner role can monitor the API tokens created in the organization and can set constraints for idle and maximum Time to live (TTL) for all newly created tokens. For details and instructions, see How do I manage API tokens in my Organization in the VMware Cloud services documentation. Users with the Admin service role can view and revoke any Tanzu Observability API token in the service instance. For details, see Managing the Tanzu Observability API Tokens in Your Service Instance.
Tanzu Observability REST API Access	Who: Everyone who has a Tanzu Observability API token associated with a user account or a service account. Where: An API client. How: Interacting with the Tanzu Observability REST API requires a Tanzu Observability API token. To interact with the REST API by using your user account, you must use your API token. For details, see Make API Calls by Using a User Account. To interact with the REST API by using a service account, you must use an API token associated with that service account. For details, see Make API Calls by Using a Service Account.	Who: Everyone who has a VMware Cloud services API token or the credentials of a server to server OAuth app. Where: An API client. How: Interacting with the Tanzu Observability REST API requires a VMware Cloud services access token. To interact with the REST API on behalf of your user account, you must exchange your VMware Cloud services API token for an access token. For details, see Make API Calls by Using a User Account. To interact with the REST API on behalf of your VMware Cloud organization, you must exchange the OAuth credentials of a server to server app for an access token. For details, see Make API Calls by Using a Server to Server App.
Tanzu Observability Organization Settings	Who: Users with the Accounts permission. Where: In the Tanzu Observability user interface. How: As a user with the Accounts permission, you can configure: Default display settings, such as getting started progress and default dashboard display. Default query language preferences and optionally, allow users to write queries in PromQL. For details, see Set PromQL Organization Settings (Administrator Only). Default groups for new user accounts. New users are assigned to the Everyone system group and to all additional default groups that you specify. For details, see Set the Default User Group for New Users. Default groups for new service accounts. New service accounts are assigned to the Service Accounts system group and to all additional default groups that you specify. For details, see Set the Default Service Accounts Group for New Service Accounts. Default permissions for new user accounts. These permissions don't apply to service accounts. For details, see Set Default Permissions for New Users. Logs settings, if Logs is enabled for your cluster. For details, see Customize Logs Settings. Access to newly created dashboards and alerts. For details, see Managing Access to Dashboards and Alerts.	Who: Users with the Admin Tanzu Observability service role. Where: In the Tanzu Observability user interface. How: As a user with the Admin service role, you can configure: Default display settings for new accounts, such as getting started progress and default dashboard display. Default query language preferences and optionally, allow users to write queries in PromQL. For details, see Set PromQL Organization Settings (Administrator Only). Logs settings, if Logs is enabled for your cluster. For details, see Customize Logs Settings. Access to newly created dashboards and alerts. For details, see Managing Access to Dashboards and Alerts
Wavefront Proxy Installation	Note: The Wavefront proxy authenticates with a Tanzu Observability API token. Who: Users with the Proxies permission. Where: In the Tanzu Observability user interface. How: As a user with the Proxies permission, you must configure the proxy to authenticate to Tanzu Observability with a Tanzu Observability API token that have the Proxies permission. For details, see Install a Proxy from the UI.	Note: The Wavefront proxy authenticates with a VMware Cloud services access token obtained from server to server OAuth app credentials or from a VMware Cloud services API token. Proxy authentication with a Tanzu Observability API token is still possible and supported only for a limited list of integrations. Who: For proxy installation, users with the Proxies Tanzu Observability service role. For creating server to server OAuth apps, users with the VMware Cloud Organization Owner, Organization Administrator, or Organization Member with Developer roles. For generating a Tanzu Observability API token of a service account, users with the Admin Tanzu Observability service role. Where: For generating a VMware Cloud services API token or creating a server to server OAuth app, in the VMware Cloud Services Console. For proxy installation and generating a Tanzu Observability API token for a service account, in the Tanzu Observability user interface. How: As a user with the Proxies service role, you configure the proxy to authenticate to Tanzu Observability. The proxy obtains a VMware Cloud services access token with the Proxies service role or use a Tanzu Observability API token of a service account with the Proxies permission. To obtain a VMware Cloud services access token: The proxy can use the credentials of a server to server OAuth app - ID and secret, together with the VMware Cloud organization long ID. The proxy can use the VMware Cloud services API token of an active user account. In both ways, the access token is directly issued to the proxy. For details, see Proxy Authentication Types.
Integrations Installation	Note: All integrations that use a Wavefront proxy authenticate with a Tanzu Observability API token. Who: Users or service accounts with the Proxies permission who have an active Tanzu Observability API token. Where: In the Tanzu Observability user interface. How: Follow the instructions on the Setup tab of the integration that you want to install.	Note: Most of the integrations that use a Wavefront proxy authenticate with a VMware Cloud services access token. A limited list of integrations still use proxy authentication with a Tanzu Observability API token. Who: Users with the Proxies Tanzu Observability service role who must have one of the following: A valid VMware Cloud services API token with the Proxies service role assigned. The credentials of a server to server OAuth app with the Proxies service role assigned. A Tanzu Observability API token associated with a service account that has the Proxies permission. Where: In the Tanzu Observability user interface. How: Follow the instructions on the Setup tab of the integration that you want to install.
Metrics Security Policy Management	Who: Users with the Metrics permission. Where: In the Tanzu Observability user interface. How: Privileged users can block or allow access to metrics for: Accounts (user accounts and service accounts) Groups Roles For details, see Metrics Security Policy Rules.	Who: Users with the Metrics Tanzu Observability service role. Where: In the Tanzu Observability user interface. How: Privileged users can block or allow access to metrics for: Accounts (user accounts, server to server apps, and service accounts) Groups For details, see Metrics Security Policy Rules.

Who: Users with the Accounts permission.

Where: In the Tanzu Observability user interface.

How: You can invite new users with or without assigning roles and permissions. For details, see Manage User Accounts.

Who: Users with the VMware Cloud Organization Owner or Organization Administrator role.

Where: In the VMware Cloud Services Console.

How: To add a user to your Tanzu Observability service instance, you must assign that user:

An organization role for the VMware Cloud organization running the service instance. At a minimum, you must assign the VMware Cloud Organization Member role.
A Tanzu Observability service role for your service instance. At a minimum, you must assign the Viewer service role.
Optionally, a custom role with one or more Tanzu Observability permissions. A custom role applies to all service instances for which the user has a Tanzu Observability service role.

For details, see Manage User Accounts.

Service Accounts and Server to Server OAuth Apps Management

Note: Only service accounts are supported.

Who: Users with the Accounts permission.

Where: In the Tanzu Observability user interface.

How: Service accounts authenticate with API tokens. Service accounts can be assigned with roles and permissions, as well as can be added to groups. For details, see Manage Service Accounts.

Note: Server to server OAuth apps are recommended and fully supported. Service accounts are with limited support and will be deprecated in the future.

Who:

For server to server OAuth apps, users with the VMware Cloud Organization Owner, Organization Administrator, or Organization Member with the Developer role assigned.
For service accounts, users with the Admin Tanzu Observability service role.

Where:

For server to server OAuth apps, in the VMware Cloud Services Console.
For service accounts, in the Tanzu Observability user interface.

How:

Server to server OAuth apps authenticate with VMware Cloud services access tokens that can be exchanged from their OAuth credentials. Server to server OAuth app can be assigned with organization roles, service roles, and custom roles, and can belong to one or more VMware Cloud organizations. For details, see Manage Server to Server Apps.
Service accounts authenticate with Tanzu Observability API tokens. Service accounts can be assigned with permissions only, and cannot be added to groups. For details, see Manage Service Accounts.

Permissions Management

Who: Users with the Accounts permission.

Where: In the Tanzu Observability user interface.

How: Permissions can be assigned to roles as well as to individual user accounts and service accounts.

See:

Note: The permissions list includes the Accounts, SAML IdP Admin, and API token permissions, because they are required for all of the authorization and authentication tasks which are done in the Tanzu Observability.

In addition, the Accounts permission grants privileges for managing the Tanzu Observability organization settings.

See the Permissions Reference.

Who:

For assigning permissions to roles, users with the VMware Cloud Organization Owner or Organization Administrator role.
For assigning permissions to service accounts, users with the Admin Tanzu Observability service role.

Where:

For assigning permissions to roles, in the VMware Cloud Services Console.
For assigning permissions to service accounts, in the Tanzu Observability user interface.

How: Permissions can be assigned only to roles in the VMware Cloud services organization and service accounts - in the Tanzu Observability environment.

See:

Note: The Accounts, SAML IdP Admin, and API token permissions don't exist, because most of the authorization and authentication tasks requiring these permissions are done in the VMware Cloud Services Console.

The Admin Tanzu Observability permission grants privileges for managing service accounts, Tanzu Observability API tokens, and the Tanzu Observability organization settings.

See the Tanzu Observability Permissions in VMware Cloud Services.

Roles Management

Who: Users with the Accounts permission.

Where: In the Tanzu Observability user interface.

How: Roles can be assigned with permissions. Roles can be assigned to user accounts, service accounts, and groups. For details, see Manage Roles and Permissions.

Who: Users with the VMware Cloud Organization Owner or Organization Administrator role.

Where: In the VMware Cloud Services Console.

How: Roles can be assigned with permissions. Roles can be assigned to users, groups, API tokens, and server to server apps. There are:

Built-in Tanzu Observability service roles, which are not editable. Each Tanzu Observability permission is represented with a service role. In addition, the Super Admin and Viewer service roles grant full-administrative and view-only access, respectively.
Custom roles can be created and assigned with permissions for one or more services.

For details, see Manage Roles.

Groups Management

Who: Users with the Accounts permission.

Where: In the Tanzu Observability user interface.

How: A group of user and service accounts can be assigned with one or more roles. For details, see Create a Group.

Who: Users with the VMware Cloud Organization Owner or Organization Administrator role.

Where: In the VMware Cloud Services Console.

How: A group of users can be assigned with organization and service roles. A group can be shared with other VMware Cloud organizations. In a federated environment, you can add enterprise groups from your corporate domain. For details, see How do I work with groups in the VMware Cloud services documentation.

Self-Service SAML SSO

Who: Users with the SAML IdP Admin permission.

Where: In the Tanzu Observability user interface.

How: Tanzu Observability includes predefined authentication integrations. For details, see Single-Tenant Authentication and Self-Service SAML SSO.

Who: A user with the VMware Cloud Organization Owner role together with an Enterprise Administrator.

Where: In the VMware Cloud Services Console.

How: The VMware Cloud Organization Owner user kicks off the self-service federation workflow on behalf of the VMware Cloud organization and invites the Enterprise Administrator to complete the setup. For details, see Setting Up Enterprise Federation with VMware Cloud Services Console in the VMware Cloud services documentation.

Generating API Tokens

Note: Only Tanzu Observability API tokens are supported.

Who:

For API tokens associated with a user account, the corresponding user who must have the API Tokens permission.
For API tokens associated with service accounts, the users with the Accounts permission.

Where: In the Tanzu Observability user interface.

How:

A user with the API Tokens permission can generate Tanzu Observability API tokens for their own user account. The API tokens inherit all permissions that its associated user account owns.
Users with the Accounts permission can generate Tanzu Observability API tokens for service accounts. The API tokens inherit the permissions of their associated service account.

For details, see Manage API Tokens.

Note: It is recommended to use VMware Cloud services API tokens and server to server OAuth app credentials for obtaining VMware Cloud services access tokens. Tanzu Observability API tokens are with limited support and will be deprecated in a future release.

Who:

For VMware Cloud services API tokens associated with a user account, the corresponding user.
For Tanzu Observability API tokens associated with service accounts, the users with the Admin Tanzu Observability service role.

Where:

For VMware Cloud services API tokens associated with a user account, in the VMware Cloud Services Console.
For Tanzu Observability API tokens associated with service accounts, in the Tanzu Observability user interface.

How:

Each user can generate VMware Cloud services API tokens for their user account. An API token can be assigned with roles from the list of roles that the user owns - organization roles, service roles, and custom roles. For details and instructions, see How do I generate API tokens in the VMware Cloud services documentation.
Users with the Admin service role can generate Tanzu Observability API tokens for service accounts. The API tokens inherit the permissions of their associated service account. For details, see Manage Service Accounts.

API Tokens Management

Who:

For API tokens associated with a user account, the corresponding user.
For all API tokens in the Tanzu Observability service instance, the users with the Accounts permission.

Where: In the Tanzu Observability user interface.

How:

All users can view and revoke their own tokens. For details, see Generate and Manage the API Tokens for Your User Account.
Users with the Accounts permission can view and revoke any API token in the service instance. For details, see View and Manage the API Tokens in Your Organization.

Who:

For VMware Cloud services API tokens associated with a user account, the corresponding user.
For all VMware Cloud services API tokens in the VMware Cloud organization, the users with the VMware Cloud Organization Owner role if the organization is activated for Identity Governance and Administration (IGA).
For all Tanzu Observability API tokens (limited support), the users with the Admin Tanzu Observability service role.

Where:

For VMware Cloud services API tokens, in the Cloud Services Console.
For Tanzu Observability API tokens (limited support), in the Tanzu Observability user interface.

How:

All users can view and revoke their own VMware Cloud services API tokens. For details, see How do I manage my API tokens in the VMware Cloud services documentation.
Users with the VMware Cloud Organization Owner role can monitor the API tokens created in the organization and can set constraints for idle and maximum Time to live (TTL) for all newly created tokens. For details and instructions, see How do I manage API tokens in my Organization in the VMware Cloud services documentation.
Users with the Admin service role can view and revoke any Tanzu Observability API token in the service instance. For details, see Managing the Tanzu Observability API Tokens in Your Service Instance.

Tanzu Observability REST API Access

Who: Everyone who has a Tanzu Observability API token associated with a user account or a service account.

Where: An API client.

How: Interacting with the Tanzu Observability REST API requires a Tanzu Observability API token.

To interact with the REST API by using your user account, you must use your API token. For details, see Make API Calls by Using a User Account.
To interact with the REST API by using a service account, you must use an API token associated with that service account. For details, see Make API Calls by Using a Service Account.

Who: Everyone who has a VMware Cloud services API token or the credentials of a server to server OAuth app.

Where: An API client.

How: Interacting with the Tanzu Observability REST API requires a VMware Cloud services access token.

To interact with the REST API on behalf of your user account, you must exchange your VMware Cloud services API token for an access token. For details, see Make API Calls by Using a User Account.
To interact with the REST API on behalf of your VMware Cloud organization, you must exchange the OAuth credentials of a server to server app for an access token. For details, see Make API Calls by Using a Server to Server App.

Tanzu Observability Organization Settings

Who: Users with the Accounts permission.

Where: In the Tanzu Observability user interface.

How: As a user with the Accounts permission, you can configure:

Default display settings, such as getting started progress and default dashboard display.
Default query language preferences and optionally, allow users to write queries in PromQL. For details, see Set PromQL Organization Settings (Administrator Only).
Default groups for new user accounts. New users are assigned to the Everyone system group and to all additional default groups that you specify. For details, see Set the Default User Group for New Users.
Default groups for new service accounts. New service accounts are assigned to the Service Accounts system group and to all additional default groups that you specify. For details, see Set the Default Service Accounts Group for New Service Accounts.
Default permissions for new user accounts. These permissions don't apply to service accounts. For details, see Set Default Permissions for New Users.
Logs settings, if Logs is enabled for your cluster. For details, see Customize Logs Settings.
Access to newly created dashboards and alerts. For details, see Managing Access to Dashboards and Alerts.

Who: Users with the Admin Tanzu Observability service role.

Where: In the Tanzu Observability user interface.

How: As a user with the Admin service role, you can configure:

Default display settings for new accounts, such as getting started progress and default dashboard display.
Default query language preferences and optionally, allow users to write queries in PromQL. For details, see Set PromQL Organization Settings (Administrator Only).
Logs settings, if Logs is enabled for your cluster. For details, see Customize Logs Settings.
Access to newly created dashboards and alerts. For details, see Managing Access to Dashboards and Alerts

Wavefront Proxy Installation

Note: The Wavefront proxy authenticates with a Tanzu Observability API token.

Who: Users with the Proxies permission.

Where: In the Tanzu Observability user interface.

How: As a user with the Proxies permission, you must configure the proxy to authenticate to Tanzu Observability with a Tanzu Observability API token that have the Proxies permission. For details, see Install a Proxy from the UI.

Note: The Wavefront proxy authenticates with a VMware Cloud services access token obtained from server to server OAuth app credentials or from a VMware Cloud services API token. Proxy authentication with a Tanzu Observability API token is still possible and supported only for a limited list of integrations.

Who:

For proxy installation, users with the Proxies Tanzu Observability service role.
For creating server to server OAuth apps, users with the VMware Cloud Organization Owner, Organization Administrator, or Organization Member with Developer roles.
For generating a Tanzu Observability API token of a service account, users with the Admin Tanzu Observability service role.

Where:

For generating a VMware Cloud services API token or creating a server to server OAuth app, in the VMware Cloud Services Console.
For proxy installation and generating a Tanzu Observability API token for a service account, in the Tanzu Observability user interface.

How: As a user with the Proxies service role, you configure the proxy to authenticate to Tanzu Observability. The proxy obtains a VMware Cloud services access token with the Proxies service role or use a Tanzu Observability API token of a service account with the Proxies permission. To obtain a VMware Cloud services access token:

The proxy can use the credentials of a server to server OAuth app - ID and secret, together with the VMware Cloud organization long ID.
The proxy can use the VMware Cloud services API token of an active user account.

In both ways, the access token is directly issued to the proxy. For details, see Proxy Authentication Types.

Integrations Installation

Note: All integrations that use a Wavefront proxy authenticate with a Tanzu Observability API token.

Who: Users or service accounts with the Proxies permission who have an active Tanzu Observability API token.

Where: In the Tanzu Observability user interface.

How: Follow the instructions on the Setup tab of the integration that you want to install.

Note: Most of the integrations that use a Wavefront proxy authenticate with a VMware Cloud services access token. A limited list of integrations still use proxy authentication with a Tanzu Observability API token.

Who: Users with the Proxies Tanzu Observability service role who must have one of the following:

A valid VMware Cloud services API token with the Proxies service role assigned.
The credentials of a server to server OAuth app with the Proxies service role assigned.
A Tanzu Observability API token associated with a service account that has the Proxies permission.

Where: In the Tanzu Observability user interface.

How: Follow the instructions on the Setup tab of the integration that you want to install.

Metrics Security Policy Management

Who: Users with the Metrics permission.

Where: In the Tanzu Observability user interface.

How: Privileged users can block or allow access to metrics for:

Accounts (user accounts and service accounts)
Groups
Roles

For details, see Metrics Security Policy Rules.

Who: Users with the Metrics Tanzu Observability service role.

Where: In the Tanzu Observability user interface.

How: Privileged users can block or allow access to metrics for:

Accounts (user accounts, server to server apps, and service accounts)
Groups

For details, see Metrics Security Policy Rules.