Mapping multiple users for managing vCenters

As an RBAC administrator in TrueSight Server Automation, you can map multiple vCenter users by creating Automation Principals (AP) for each vCenter user and assigning the Automation Principals to a specific TrueSight Server Automation role. The Automation Principal holds the vCenter user’s credentials (username and password) for accessing the vCenter. The vCenter user's permissions and access to vCenter operations are controlled by the TrueSight Server Automation role they are assigned to.

When the TrueSight Server Automation user performs operations in the vCenter, the role assigned and the Automation Principal mapped for the requested vCenter is validated. TrueSight Server Automation uses the credentials stored in the mapped Automation Principal and the vCenter user's actions are determined based on the permissions defined by their role.

By using this feature, you can manage user access in vCenter flexibly and securely, making sure that vCenter users are able to perform operations defined by their assigned roles.

Related topics

Creating-automation-principals

Creating-roles

Creating-users

Adding-and-configuring-a-vCenter-AMO


Scenario

Let us assume that user1 and user2 are created in the vCenter server, and you need to map these vCenter users in TrueSight Server Automation to connect to vCenter1 to perform their respective vCenter operations. To do this, you create an Automation Principal for User1, which has full administrative rights in the vCenter. You then create another Automation Principal for User2 which has snapshot related permission in the vCenter.

Now, from Roles you can select the required TrueSight Server Automation role (for example, BLAdmin or VMSnapshotAdmins) and use the Virtualization Manager Mappings tab to select the required vCenter and map the corresponding automation principal to that vCenter.

Hence, you can map multiple vCenter users with different TrueSight Server Automation roles to the same vCenter, with each user having access only to the actions allowed by their respective roles. The TrueSight Server Automation users can perform their tasks on the vCenter using the credentials stored in the mapped Automation Principal as shown in the following image:

image-2024-12-10_12-59-49.png


To map multiple vCenter users with TrueSight Server Automation roles

  1. Log in to TrueSight Server Automation as RBACAdmin.

  2. Create automation principal for vCenter users as required. For example, AP_Admin and AP_snapshot. For more information, see Creating-automation-principals.

    Important

    Only the vCenter user's username and password needs to be specified while creating the automation principal, the vCenter SDK URL is generated automatically.

  3. Create the role for the vCenter user, if not already exists. For more information, see Creating-roles.
  4. Create users for the roles. For more information, see Creating-users.

  5. Enroll the required vCenter in TrueSight Server Automation. If already enrolled, provide the required permissions for the roles. For more information, see Adding-and-configuring-a-vCenter-AMO.

    Important

    Your user role must have the appropriate RBAC permissions to use automation principals, roles, and vCenter. Otherwise, the requested vCenter operation would not be performed.

  6. Navigate to Roles and select the required TrueSight Server Automation role. For example, BLAdmins.
  7. Select the Virtualization Manager Mappings tab. 
  8. Clear the checkbox Show Mapped vCenters to view all the available vCenters. Selecting the Show Mapped vCenters checkbox lists only the vCenter servers that have associated automation principals mapped for the specified role.
  9. Select the required vCenter from the dropdown list. For example, VC_1.

  10. From the available automation principals, select the required automation principal and click image-2024-12-5_10-41-52.pngto map that have automation principal to the vCenter. For example, map AP_Admin.

    image-2024-12-5_10-39-12.png

    Important

    • You can map only one automation principal for one vCenter server. 
    • You can map multiple vCenter servers for one role. To configure multiple vCenters, select the required server from the dropdown list and assign the appropriate automation principal.

    • If you select a vCenter and if the related connection details are configured in the Property Set Instance, then the following notification appears:

      Important: The Property Set Instance (PSI) for vCenter server '<vCenter name>' contains configured username and/or password.
      If you intend to use Automation Principal to manage vCenter credentials, consider removing these credentials from the PSI to prevent unintended access.

  11. Save the changes.

  12. Repeat step 6 to 11, by selecting another  TrueSight Server Automation role, for example VMSnapshotAdmins, for VC_1 and map the AP_snapshot.


Hence, VC_1 now has access to the corresponding vCenter users associated with the Automation Principals, AP_Admin and AP_Snapshot, allowing them to perform their respective operations in VC_1 based on their roles.


Where to go from here

Refer to To distribute the vCenter configuration object on the vCenter server to distribute the vCenter configuration object on the vCenter server.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*