Each user must have a user account to use vRealize Operations Manager. Administrators can assign each user to be a member of one or more user groups, and apply roles to assign specific privileges to each user for authorization to perform actions.

To ensure security of the objects in your vRealize Operations Manager instance, as a system administrator you can manage all aspects of user access control. You create user accounts, assign each user to be a member of one or more user groups, assign roles to each user or user group to set their privileges, and select the objects in your environment that each user can access.

A role is a collection of action privileges that grants a user or user group the permission to access objects. Roles do not include privileges to view or configure objects. You must assign privileges to objects separately when you add or edit a user account.

You can authenticate users in vRealize Operations Manager in several ways.

Use LDAP to import users or user groups from an LDAP database. LDAP users can use their LDAP credentials to log in to vRealize Operations Manager.

Use vCenter Server users. After a vCenter Server user is registered with vRealize Operations Manager, the vCenter Server user that has vCenter Server assigned vRealize Operations Manager permissions can log in to vRealize Operations Manager.

Create local user accounts in vRealize Operations Manager.

You must have privileges to access specific features in the vRealize Operations Manager user interface. The roles associated with your user account determine the features you can access and the actions you can perform.

As a system administrator, you assign a unique user account to each user so that they can use vRealize Operations Manager. You manage user passwords and the criteria used for account lockout, password strength, and the password change policy. With role-based access, users can only perform actions that their privileges allow.

When a user has permission to take action on an object, such as to delete a virtual machine, that user has the permission to perform the same action on any virtual machine that the user can access. For example, a user cannot have read-only permission on one virtual machine, and have read and write permission on another virtual machine.

vRealize Operations Manager uses the Lightweight Directory Access Protocol (LDAP) platform-independent protocol to access distributed directory services to obtain users and user group information that resides in an LDAP user database on another machine. You can then import user accounts or user groups from that LDAP user database.