Manage Tanzu Observability permissions with roles.

VMware Cloud services supports roles to manage authorization in your services on the platform, including Tanzu Observability.

From the VMware Cloud Services Console, users with the VMware Cloud Organization Owner or Organization Administrator role can:

  • Create groups and add new and existing users to each group.
  • Create custom roles and assign Tanzu Observability permissions to each role.
  • Assign one or more service roles and custom roles to each group. It’s also possible to assign roles to individual users and server to server apps.

In addition to the roles model, Tanzu Observability also supports access control for individual objects, for example, users with the Super Admin service role can limit access to a sensitive dashboard.

Manage Roles

The roles model allows you to make sure nobody can perform tasks without the corresponding permission.

Assigning roles to groups of users is most efficient and least error prone. It’s possible to assign a role to an individual account – that might make sense during a POC.

VMware Cloud services includes built-in service roles for each service on the platform, including Tanzu Observability service roles. Additionally, VMware Cloud services supports custom roles.

  • A role can be assigned for a certain time period or without an expiration date.
  • At least one Tanzu Observability service role is required for a user to have access to the Tanzu Observability service instance. Custom roles are optional.
  • In a multi-tenant environment, a user can have different service roles for the different Tanzu Observability service instances (tenants). Custom roles apply to all tenants for which the user has a service role.

The VMware Cloud Services Console Roles page lists all service roles and custom roles in your VMware Cloud organization. To navigate to this page:

  1. Log in to the VMware Cloud Services Console as an Organization Owner or Organization Administrator.
  2. If necessary, switch to the target organization. See How do I access another one of my Organizations.
  3. In the left navigation pane, select Identity & Access Management > Roles.

Tanzu Observability Service Roles (Built-in)

The VMware Cloud Services Console Roles page includes the following built-in Tanzu Observability service roles:

  • A corresponding Tanzu Observability service role for each Tanzu Observability permission, that is, each of the following service roles has only one permission assigned:

    • Admin
    • Alerts
    • Applications
    • Batch Query Priority
    • Charts Embedding
    • Dashboards
    • Derived Metrics
    • Direct Data Ingestion
    • Events
    • External Links
    • Ingestion Policies
    • Integrations
    • Logs
    • Metrics
    • Proxies
    • Sources
  • Two special Tanzu Observability service roles - one that grants full administrative access to the service, and another one that grants read-only access to the service:

    Service Role Description
    Super Admin When users with that service role enable Super Admin mode, they:

    Tip: Combine the Super Admin service role with the roles that you want the user to have when Super Admin mode is disabled.

    Viewer Users with that service role:
    • Don't have any Tanzu Observability permissions.
    • Can perform only the default tasks.

    Tip: Assign the Viewer service role individually or in combination with custom roles.

Create, Edit, or Delete a Custom Role

Custom roles let you combine service permissions of your choice, for example, Tanzu Observability permissions. A custom role can have permissions for one or multiple services in your organization. For example, you can have a custom role that grants administrative permissions for one service and read-only permissions for another service.

To create a custom role:

  1. On the VMware Cloud Services Console Roles page, click Add Role.
  2. On the Add permissions tab, in the left panel, expand VMware Tanzu Observability.
  3. In the panel on the right, select the permissions that you want to assign to the role, and click Continue.
  4. On the Role information tab, enter a meaningful role name and description, and click Continue.
  5. On the Review added permission tab, verify your selections and click Save.

To edit a custom role:

  1. On the VMware Cloud Services Console Roles page, click the name of the target custom role.
  2. Edit the role name, description, or permissions, and click Save.

To delete a custom role:

  1. On the VMware Cloud Services Console Roles page, select one or more custom roles and click Remove Roles.
  2. Click Remove to confirm.

Assign Default Roles for a Federated Domain

For a federated domain, users with the Organization Owner role can configure a policy with default VMware Cloud organization and service roles for all users in the federated domain. For details, see How do I assign default roles in my Organization in the VMware Cloud services documentation.

Manage User Groups

For efficient user management, you can create groups of users and assign roles to these groups. You can add new and existing users to a group. You can assign service roles and custom roles to a group.

See How do I work with groups in the VMware Cloud services documentation.

Grant or Revoke a User’s Role Explicitly

To change the roles that are individually assigned to a user, see How do I change user roles.