Configuring vRealize Operations (vROps) for Application Teams

I have heard many customers ask the question “Can vRealize Operations be configured to provide our application teams access so that they can see dashboards/metrics for only the objects they are responsible for?”. Of course the answer is “YES”; however, there is not a lot of out-of-the-box workflows to accomplish this and the process is a bit involved. I recently helped a customer configure this type of access for their Microsoft Exchange team and figured since I did all the legwork I might as well document it here in a blog to hopefully make it easier for others. This configuration was completed in vRealize Operations v7.0 and everything outlined should persist through version upgrades.

Custom Groups

We will be leveraging Custom Groups within vRealize Operations (vROps) to group our objects (VMs, Clusters, Datacenters, Datastores, etc…) for a specific Application team. Custom Groups are extremely powerful because you can assign policies to them. For example, you may create a Custom Group for all your Dev/Test workloads and define the policy to exclude all Alerts. Custom Groups also have the ability to be dynamic in nature… so if you create a new object in vCenter and it matches your Custom Group criteria, it will be included in the group automatically.

When defining Custom Groups you can leverage characteristics of the objects for your group criteria. For example, you can leverage the VM Name and specify that any VMs with “WEB” in the name are included in the group. Or you can leverage the VM Folder to specify that any VMs in the “Finance” folder are included in the group. I personally prefer to leverage vSphere Tags to accomplish this since they are an extremely powerful way to manage and apply metadata to vSphere objects.

Step 1.) Define your vSphere Tags

The first step to providing vROps access for an application team is to identify which vSphere objects they need access to. Let us assume we are working with the Microsoft Exchange team and they own (7) VMs. These VMs are broken down as follows:

(2) Development Exchange Servers
(2) Test Exchange Servers
(3) Production Exchange Servers

Based on this configuration, we will create (2) vSphere Tag Categories and (4) vSphere Tags.

Application –> Exchange
Environment –> Dev, Tst, Prd

Create the Tag Categories

1.) Navigate to the “Tags & Custom Attributes” section in the vSphere Client.
2.) Click on the “CATEGORIES” section and click the “NEW” button to create a new Tag Category.

3.) Provide the name of the new Tag Category. We will create the “Application” category first. Provide a Description if you wish.
4.) Choose whether or not a vSphere object can have more than one Application Tag assigned to it. I typically allow “Many tags” since some vSphere objects (VMs, Clusters, Datastores, etc…) can be associated with multiple applications.
5.) Next Choose the vSphere objects that can support the “Application” Tag Category. At the very least, we want to choose “Virtual Machine” for our Microsoft Exchange example.

6.) Repeat Steps 2-5 above for the “Environment” Tag Category; however, I typically choose that this category only support one tag per object since we should not be mixing Development, Test, and Production workloads.

Create the Tags

1.) Click on the “TAGS” section and click the “NEW” button to create a new Tag.

2.) Provide the name of the new Tag. We will create the “Exchange” tag first. Provide a Description if you wish. Associate the Tag with the “Application” Tag Category.

3.) Repeat Step 2 above for the “Dev”, “Tst”, and “Prd” Tags except these should be associated with the “Environment” Tag Category.

Step 2.) Assign your Tags

Now that we have created our new Tags we need to tag our Exchange VMs appropriately. vSphere objects can be tagged one at a time or in bulk.

1.) In the vSphere Client, navigate to the “VMs and Templates” view. Click on the “Exchange” VM Folder and navigate to the “VMs” tab in the right pane.
2.) Select all the VMs, right-click and select “Tags & Custom Attributes” –> “Assign Tag…”.

3.) Click “Yes” to confirm you want to perform this action on multiple objects.
4.) Choose the “Exchange” Tag and click “Assign”.
5.) Repeat Steps 2-4 to assign the “Dev”, “Tst”, and “Prd” Tags to the appropriate Exchange VMs.

Step 3.) Identify/Create your AD/LDAP Users & Groups

The most efficient and secure way to provide access to vRealize Operations is by leveraging Active Directory/LDAP Users & Groups. You likely already have Groups setup for your Application teams but if not you will want to do that now. It is also a good idea to create some Groups for vROps, i.e. – “vROps Admins”, “vROps Users”, etc… Ensure that the appropriate Users are members of these Groups. I will be leveraging the following two AD Groups for this example:

vROps Admins
Exchange Admins

Step 4.) Connect vROps to AD

Now we need to setup the connection from vROps to AD.

1.) Login to vROps as an administrator and navigate to the “Administration” section. Expand the “Access” section on the left side navigation pane and click on “Authentication Sources”.
2.) Click the ‘plus’ button to add a new Authentication Source.

3.) Provide a “Source Display Name” for the new source. This name is what users will see when they choose how to login to vROps.
4.) Change the “Source Type” to “Active Directory”.
5.) Provide the “Domain/Subdomain” and the appropriate user credentials.

6.) Click “Test” and if successful click “OK”.

Step 5.) Create a New Group Type

Before we create our new Exchange Custom Groups I like to create a new Group Type called “Exchange Environment”. This is not necessary but it will make things a bit more organized.

1.) Navigate to the “Administration” section, expand the “Configuration” section on the left side navigation pane and click on “Group Types”.
2.) Click the ‘plus’ button to add a new Group Type.

3.) Provide the name for the Group Type. I call it “Exchange Environment” for our example.
4.) Click “OK” to save.

Step 6.) Create the Custom Groups

Now that we have defined our new Group Type, we can proceed to create the following three Custom Groups for Exchange:

Exchange Development
Exchange Test
Exchange Production

This is where the magic of vSphere Tags comes into play. It is important to understand that vROps stores the Tag property for each vCenter object as a string value. If an object has multiple Tags then vROps will store these as a concatenated value.

1.) Navigate to the “Environment” section and click the ‘plus’ button to create a new Custom Group.

2.) Provide a name for the Custom Group. We will start with the “Exchange – Development” group.
3.) Select “Exchange Environment” for the “Group Type”. This is the new Group Type we created in the previous section above.
4.) Select the “Policy” you want to apply for this new Custom Group. You can keep it simple for now and choose the default vSphere Solution policy. Just remember, Policies are extremely powerful and allow you to “tune” the environment as you see fit, so you should revisit this at some point in the future.
5.) Ensure the checkbox is selected to “Keep group membership up to date”. This will specify that the group is dynamic so that any new VMs tagged appropriately will automatically be included.
6.) Choose “vCenter Adapter” –> “Virtual Machine” from the “Object Type” drop-down list.
7.) Now we need to define our first line of criteria for this Custom Group. It should be defined as “Properties” –> “Summary|vSphere Tag” –> “contains” –> “Application-Exchange”.
8.) Click the “Add” button to the right of our first line criteria to add a second line of criteria. This is the equivalent of specifying an “AND” statement to the logic.
9.) The second line of criteria should be defined as “Properties” –> “Summary|vSphere Tag” –> “contains” –> “Environment-Dev”.

10.) Click the “PREVIEW” button in the lower-left corner to confirm the VMs that should be members of the “Exchange – Development” group.

11.) Repeat Steps 1-10 above to create the “Exchange – Test” and “Exchange – Production” Custom Groups. The only difference in the configuration of these two groups is the second line of criteria should specify “Environment-Tst” and “Environment-Prd” respectively.

Step 7.) Create a Custom Role

The next step is to create a Custom Role within vROps. This will define what permissions the Exchange Team is allowed. We want to provide the team with access to view Dashboards, Alerts, and the ability to drill-down on objects via the Environment section.

1.) Navigate to the “Administration” section, expand the “Access” section on the left side navigation pane and click on “Access Control”.
2.) Select on the “Roles” tab and click on the ‘plus’ button to create a new role.

3.) Provide a name for the new role. I will call mine “Exchange”; however, you can name it something more generic like “Application Team” since you can leverage the same role for multiple application teams, i.e. – Exchange, SQL, Oracle, etc…
4.) Provide a role description if you wish and then click “OK” to save.

5.) Highlight the newly created Role in the list and click the “Permissions” pencil button in the bottom-right corner of the screen.
6.) Specify the following permissions:

• Administration
  • Login Interactively
• Alerts
  • Alert Definition Management
    • Read
  • View Alerts PageA
• Dashboards
  • Dashboard Management
    • View Dashboards List
  • Views Management
    • Render
  • View Dashboards Page
• Environment
  • Alerts Management
    • View Impacted Object Symptoms
    • View Metric Charts
    • View Relationships
    • View Timeline
  • Custom Groups Management
    • Read
  • Environment Details Pages (ALL)
  • Environment Page (ALL)
  • Inventory trees (ALL)
  • Reports (ALL)
  • Troubleshooting Management
    • View All metrics Page
    • View Events Page
    • View Symptoms Page
    • View Timeline Page
    • View Troubleshooting Page
  • Dynamic Actions
  • View Environment Home Page
  • View Object Capacity Page
  • View Object Compliance Page
  • View Object Logs Page
  • View Object Workload Page
  • View Recommendations Page
  • View Summary Page

7.) Click “UPDATE” to save.

Step 8.) Import AD Groups

Now that we have defined the necessary permissions via the Role we need to import our AD Groups. We will configure the “vROps Admins” group to have the “Administrator” role for ALL vROps objects and we will configure the “Exchange Admins” group to have the “Exchange” role for only the Exchange Custom Groups we defined earlier.

1.) Navigate to the “Administration” section, expand the “Access” section on the left side navigation pane and click on “Access Control”.
2.) Select on the “User Groups” tab and click on the ‘Import Group’ button to import a new group.

3.) Ensure the AD connection we specified earlier is selected in the “Import From:” drop-down box.
4.) In the “Search String” field, enter “vROps Admins” and click “SEARCH”.
5.) Select the checkbox next to the “vROps Admins” group in the search results and click “NEXT”.

6.) Select “Administrator” from the “Select Role:” drop-down box and click the “Assign this role to the group” checkbox.

7.) Click the “Allow access to all objects in the system” checkbox and click “FINISH”.
8.) Repeat Steps 2-7 for the “Exchange Admins” AD group except this time choose the “Exchange” Role and allow access to only the (3) Exchange Custom Groups we defined earlier. Be sure to click the “Propagation” option next to each Custom Group.

Step 9.) Dashboard Management

At this point we just need to perform some last minute changes to the dashboard sharing configuration. Since every vROps user is a member of the built-in Everyone Group and there are dashboards shared with this group by default, we need to un-share all the dashboards from the Everyone group and specifically share dashboards with our new AD groups.

1.) Navigate to the “Dashboards” section and click “Actions” –> “Manage Dashboards”.

2.) Click the ‘Gear/Configure’ button and select “Share Dashboards”.

3.) Select the “Everyone” group on the left-side and then select all of the dashboards on the right-side.

4.) Drag all the selected dashboards to the “vROps Admins” group on the left-side to mirror the default shared dashboards from the “Everyone” group to the “vROps Admins” group.
5.) Ensure the “Everyone” group is still selected on the left-side and all the dashboards on the right-side are selected. Click the “Stop Sharing” button to un-share all the dashboards from the “Everyone” group.

6.) Now you can share any dashboards you wish with the “Exchange Admins” group. I like to start with the “VM Utilization” dashboard as a first step. Select the “Not Grouped” option on the left-side and find the “VM Utilization” dashboard on the right-side. Drag it to the “Exchange Admins” group.

Step 10.) Validation

At this point our configuration is complete and the only remaining step is to validate the environment.

1.) Login as an AD user that is a member of the “vROps Admins” group and verify that you have full administrative access to vROps.

2.) Login as an AD user that is a member of the “Exchange Admins” group and verify that you have a limited set of permissions in the vROps environment and can only see the VMs that are members of the Exchange Custom Groups we created.

Conclusion

Hopefully you made it all the way through this how-to blog and see the expected results. While this was a good amount of tedious work to get through, I have found that providing application teams a limited view into vROps is necessary to ensure a successful and long lasting deployment that adds value to the organization. You can provide your application teams with even richer metrics by leveraging End Point Operations agents and management packs. Check out my previous blog post on how to monitor Windows Services with vROps.