Create AD login for vC Ops access
Once you have deployed your vCenter Operations Manager system, and connected it to vCenter and then licensed vCOps, you will want to enable users to log in to it. It isn’t immediately obvious how to do this – there are no user accounts that you can create within vC Ops that you can use for logins (it only has root and admin), and you may want to enable an AD user to login in to vC Ops, or create a vSphere SSO user to allow login.
vCOps login creation
The concept of Logins to vCenter Operations Manager is that the authentication to the system is handled by vCenter and SSO (Single Sign On). It makes total sense when you think about it – why should VMware create yet another location where you have to manage users when there is a very good SSO system, or the ability to use AD through an existing connection in vCenter SSO? So, the access to vC Ops is granted to users who are able to log in to vCenter – these can be local users on the Windows server where vCenter is installed (not applicable to vCenter Appliance), users who are created in SSO, or AD users.
Create a new role
The first step is to create a new role. This is a construct used in vCenter to represent a series of capabilities and rights (privileges) that you will later use to grant permissions to users over objects. The built-in roles include “Administrator” and “Virtual Machine User (sample)”. So, navigate to the roles window, go to Home -> Administration -> Roles. Then press the button “Add Role” and give it a name, I have used “vC Ops Login”, and then navigate through the privileges to find; “Global” and select “vCenter Operations Manager User“.
That’s all you need for someone to log in to vC Ops.
Create an SSO group for users (optional)
Most of the time, you will want to use an AD group, but if you need to create a new collection of users and groups, such as from multiple domains or authentication source, then you should read my post about creating vSphere SSO groups to contain users from multiple or disparate sources.
Add users to the role and assign to vCenter object
Now that you have created the role, you need to assign it to the top level object of vCenter, and specify the users (and/or groups) that will have the right to log in to vCenter Operations Manager. You need to assign the role to vCenter, because that is the object that vC Ops is accessing to gather information – if you apply the right just to a cluster or group of VMs, then the assigned user will not be able to log in. So, you need to navigate to the vCenter object, such as by going to Hosts & Clusters and then selecting vCenter.
If you are using the Windows client, then go to the Permissions tab, right click in empty space and select “Add Permission…”.
In the Web Client you need to go to the Manage tab, and then select the Permissions sub-tab and press the green plus button.
Then you will get a dialog where you choose the users or groups from the left, and the role that they will have on the right
Press the Add button and select a user or group, then after adding the user or group you can specify the role that they have. If you have added multiple users, then you will need to select each one before selecting the role that they are assigned.
Once you have done this on the vCenter object, then the users defined will have the ability to log in to vC Ops.
This is all officially documented in http://kb.vmware.com/kb/2018670
