Getting Started with Tanzu Observability on VMware Cloud Services

Learn the basics for administering your service on the VMware Cloud services platform.

Starting July 3, 2023, VMware Tanzu Observability (formerly known as VMware Aria Operations for Applications) is a service on the VMware Cloud services platform. From this date, we support two types of subscriptions: Tanzu Observability subscriptions onboarded to VMware Cloud services and original subscriptions.

Original subscriptions are the existing ones and they remain as is until onboarded to VMware Cloud services. We are in the process of incrementally onboarding all original subscriptions to VMware Cloud services. For information about original and VMware Cloud services subscriptions and the differences between them, see Differences Between Original and VMware Cloud Services Subscriptions.

Note: Starting September 20, 2023, all new trial instances of Tanzu Observability are onboarded to VMware Cloud services.

VMware Cloud services provides features to your Tanzu Observability environment, such as:

Single sign-on (SSO) with VMware Cloud services accounts.
SAML 2.0 SSO identity federation with your enterprise identity provider.
Identity access management (IAM) with built-in and custom service roles.
Seamless integration with other services from your VMware Cloud services portfolio, for example, VMWare Aria Operations for Logs.
Billing and Subscriptions

See the Advantages of VMware Cloud Services Subscriptions Over Original Subscriptions.

What’s VMware Cloud Services Console?

The VMware Cloud Services Console lets you manage your entire VMware Cloud services portfolio across hybrid and native public clouds. Tanzu Observability is one of the many services that you can access, configure, and consume through this console.

To open the VMware Cloud Services Console:

In a Web browser, go to https://console.cloud.vmware.com.
From the Tanzu Observability UI, click the VMware Cloud Services Applications Menu icon () in the top-right corner and select Cloud Services Console.

See Using VMware Cloud Services Console in the VMware Cloud services documentation.

What’s a VMware Cloud Services Account?

A VMware Cloud services account is a user (human) account in VMware Cloud services with which you can access all of your service instances, including Tanzu Observability. A VMware Cloud services account logs in to VMware Cloud services with an email address and a password. A VMware Cloud services account can be one of the following:

A VMware account (VMware ID) that you create in the VMware Cloud Services Console.

You can create a VMware account independently, while onboarding a service, or while signing up to a service with an invitation link.
Your corporate account if your enterprise domain is federated. You might still need to create a VMware account and link it to your corporate account if you need to access billing information in the organization. See What is enterprise federation and how does it work in the VMware Cloud services documentation.

What’s a VMware Cloud Organization?

VMware Cloud services uses organizations to provide controlled access to one or more services. The VMware Cloud organization is a top-level construct which owns users and cloud services (subscriptions).

You can have multiple VMware Cloud organizations.
Users can belong to multiple organizations.
Multiple service instances can run in the same or in different organizations.

For example, you can have a multi-tenant Tanzu Observability environment with multiple service instances (tenants) in the same organization.

Note: You can create a VMware Cloud organization only when you are onboarding a new service instance, for example, when you are starting a Tanzu Observability free trial.

See How do I manage my Cloud Services organizations in the VMware Cloud services documentation.

What’s a VMware Cloud Organization Role?

A VMware account can belong to one or more VMware Cloud organizations. A VMware account belongs to a given VMware Cloud organization if the account has an organization role for that organization. There are three VMware Cloud organization roles:

Role	Description
Organization Owner	The VMware Cloud Organization Owner role has full administrative access to all resources in the organization. They can invite users to the organization and assign role-based access to all users, including themselves. They can also kick off an enterprise domain federation and invite an Enterprise Administrator. See Setting Up Enterprise Federation with VMware Cloud Services Guide in the VMware Cloud services documentation. When you create an organization during a service onboarding process, you become its first Organization Owner.
Organization Administrator	The VMware Cloud Organization Administrator role has limited administrative access. Users with that role can invite and manage only users that have roles with lower administrative permissions. For example, they can grant or manage access for other users and groups who have the Organization Member role, but cannot manage users, groups, or resources who are assigned the Organization Owner or Organization Administrator role. Users with the Organization Administrator role can have additional access if other permissions are explicitly assigned to them. For example, when the Billing Read-only check box is selected, users with the Organization Administrator role can have read-only access to billing-related information and the option to generate usage consumption reports.
Organization Member	The VMware Cloud Organization Member role has read-only access to the resources in the organization. Users with the Organization Member role can have additional access when additional permissions are explicitly assigned to them. For example, when the Access Log Auditor check box is selected, they can access all audit data for the organization in the associated vRealize Log Insight Cloud service instance for their organization.

See What organization roles are available in VMware Cloud Services in the VMware Cloud services documentation.

What Are Service Roles and Custom Roles?

VMware Cloud services includes service-specific built-in roles, including Tanzu Observability service roles. A service role is required to grant certain access to the corresponding service instance in the organization.

While the service roles are built-in and not editable, as a VMware Cloud Organization Administrator or Organization Owner, you can create custom roles with service permissions of your choice, including Operations for Application permissions. Custom roles are optional and apply to all service instances for which the target user or server to server app has at least one service role.

What’s a Server to Server App?

If you want to use an application for automating management tasks in your service, for example, in Tanzu Observability, your application requires direct access to your service, without user authorization.

For that purpose, VMware Cloud services supports server to server apps, which are based on OAuth 2.0 client credentials grant type. You can configure your application to pass the OAuth 2.0 client credentials (id and secret) to the VMware Cloud services REST API and exchange the credentials for a VMware Cloud services access token. Your application can use the VMware Cloud services access token to interact with the Tanzu Observability REST API.

See How to use OAuth 2.0 for server to server apps in the VMware Cloud services documentation.

Important: For each server to server app with access to a Tanzu Observability service instance, we create a corresponding internal service account in that service instance and add it the Service Accounts internal system group. So that, when you configure the access control security settings, ingestion polices, or metrics security rules, the server to server apps that are assigned with Tanzu Observability service roles are represented as service accounts together with the service accounts created in Tanzu Observability.