vRealize Operations Manager supports vCenter Server users. To log in to vRealize Operations Manager, vCenter Server users must already be valid users in vCenter Server.

vCenter Server user accounts must either have administration access in vCenter Server, or have one of the vRealize Operations Manager privileges, such as PowerUser, assigned to the user account in vCenter Server, which appears at the root level in vCenter Server.

A vCenter Server user must have either the vCenter Server Admin role or one of the vRealize Operations Manager privileges, such as PowerUser on the root folder in vCenter Server, to log in to vRealize Operations Manager. vCenter Server uses only the privileges on the root object to map user accounts to the vRealize Operations Manager roles. After login, the user can view all of the objects in vRealize Operations Manager that they can already view in vCenter Server. The role is derived from the privilege on the root object in vCenter Server.

After login, privileges transfer from the vCenter Server instance to vRealize Operations Manager. Role association is accomplished in vCenter Server, and the vRealize Operations Manager roles transfer to the vCenter Server when the vCenter Server registers in vRealize Operations Manager. A vCenter Server user is associated to a role that corresponds to its privileges in vCenter Server.

In an environment that has multiple vCenter Server instances, all of the roles used for those instances, and all of the objects in those instances, are available to users. vRealize Operations Manager delegates the user authorization to access either a single vCenter Server instance or all instances, depending on the identification source that users select when they log in to vRealize Operations Manager. If users select a single vCenter Server instance as the authorization source, they have permission to only access the objects in that vCenter Server instance.

vCenter Server users can access objects depending on their assigned roles and permissions on objects. For example, vCenter Server users can have privileges to access to non-vSphere, non-inventory objects to create, update, delete, and access custom groups, dashboards, views, and reports.

vRealize Operations Manager does not support linked vCenter Server instances. Instead, you must add the vCenter Server adapter for each vCenter Server instance, and register each vCenter Server instance to vRealize Operations Manager.

Only objects from a specific vCenter Server instance appear in vRealize Operations Manager. If a vCenter Server instance has other linked vCenter Server instances, the data does not appear.

You cannot view or edit vCenter Server roles or privileges in vRealize Operations Manager. vRealize Operations Manager sends roles as privileges to vCenter Server as part of the vCenter Server Global privilege group. A vCenter Server administrator must assign vRealize Operations Manager roles to users in vCenter Server.

vRealize Operations Manager privileges in vCenter Server have the role appended to the name. For example, vRealize Operations Manager ContentAdmin Role, or vRealize Operations Manager PowerUser Role.

A vCenter Server user is a read-only principal in vRealize Operations Manager, which means that you cannot change the role, group, or objects associated with the role in vRealize Operations Manager. Instead, you must change them in the vCenter Server instance. The role applied to the root folder applies to all of the objects in vCenter Server to which a user has privileges. vRealize Operations Manager does not apply individual roles on objects. For example, if a user has the PowerUser role to access the vCenter Server root folder, but has read-only access to a virtual machine, vRealize Operations Manager applies the PowerUser role to the user to access the virtual machine.

When permissions for a vCenter Server user change in vCenter Server, the user must log out and log back in to vRealize Operations Manager to refresh the permissions and view the updated results in vRealize Operations Manager. The permissions refresh at fixed intervals, as defined in the $ALIVE_BASE/user/conf/auth.properties file. If necessary for your environment, you can change this interval.