Managing User Accounts

Note:

This topic describes features that are available in the new design of the user interface. This new design is enabled by default. If you switched to the legacy design, click New Feature Toggle button in the navigation bar of the user interface and then turn on the toggle to re-enable the new design. For more information, see this New Design for the User Interface.

As an administrator, you specify accounts that grant users access to Turbonomic. Credentials for user accounts can either be saved locally on the Turbonomic server or managed externally through Microsoft Active Directory (AD) or another single sign-on (SSO) provider.

The user account configuration determines the following details:

  • User Authentication

    To configure an account, you set the type of authentication the account uses:

    • Local User: Configure the username and password and save those credentials on the Turbonomic server.

    • External User: Single user accounts can authenticate through SSO or through AD.

    • External Group: Groups of user accounts can authenticate through SSO or AD.

  • User Authorization

    You can also specify properties that determine the range of access and features for a user:

    • Role: The user role determines access to specific Turbonomic features.

    • Scope: The user scope determines how much of the environment this user can manage.

As you configure user accounts, you can set up access to specific clusters in your environment. You can even set up accounts for tenant customers, and only show them the virtual workloads they own in their specific virtual datacenters.

Important:

For self-hosted Turbonomic instances, you can configure Turbonomic to use SSO authentication. When SSO is enabled, Turbonomic permits logins only through the SSO IdP. Whenever you navigate to your Turbonomic installation, it redirects you to the SSO Identity Provider (IdP) for authentication before it displays the Turbonomic user interface.

Before you enable SSO for your Turbonomic installation, you must configure at least one SSO user with Turbonomic administrator privileges. If you do not, then after you enable SSO, you cannot configure any SSO users in Turbonomic. To authorize an SSO user as an administrator, use EXTERNAL AUTHENTICATION to do one of the following options:

  • Configure a single SSO user with administrator authorization.

    Add an external user. The username must match an account that the IdP manages.

  • Configure an SSO user group with administrator authorization.

    Add an external group. The group name must match a user group on the IdP, and that group must have at least one member.

For information about configuring SSO user groups in SAML, see Configuring a Group for SSO Authentication. For information about configuring SSO authentication for Turbonomic, see Single Sign-On Authentication.

To work with Turbonomic accounts:

  1. Navigate to the Settings page.

    Settings button

    Click to navigate to the Settings page. From there, you can perform a variety of Turbonomic configuration tasks.

  2. Choose User Management.

    User Management button

    Click to navigate to the User management page.

    User management page

    This page lists all the user accounts that you currently have configured for Turbonomic. You can perform the following tasks:

    • Manage local or external authentication.

    • Delete an account.

    • Edit an account by clicking the pencil icon, which appears while hovering over a name.

    • Create new user or group account.

  3. Filter the list of users.

    User management page with filter options highlight

    To work with a long list of users, you can filter by role (for example, only show administrator or only show observer users), or you can type a string in the Search field.

  4. Configure Local user accounts.

    List of local users

    Turbonomic stores local accounts and their credentials on the Turbonomic platform. Local authentication is for individual users, only.

    When you choose Local users, Turbonomic displays a list of all the local user accounts you have configured for this installation.

  5. Create or edit a local user account.

    New Local User fly-out panel

    To add a new local user, click New local user. To edit an existing account, click the account name in the list. To configure a local account, specify:

    • Authentication

      Provide the username and password. Turbonomic stores these credentials on the local server.

    • Authorization – User Role

      • Administrator

        Users with this role can use all Turbonomic features and modify settings to configure the Turbonomic installation. For Turbonomic instances hosted in the public cloud, this role is limited to the Turbonomic representative that manages the instances.

      • Site Administrator

        Users with this role can use all Turbonomic features and modify site-specific settings to configure the Turbonomic installation. Users can also administer Groups, Policies, Workflows, Templates, Billing/Costs, and Target Configuration, but not Email, Licenses, Updates, and Maintenance. Users can create other user accounts, except accounts with the Administrator role.

      • Automator

        Users with this role can use all Turbonomic features (including Plan, Park, and Place), but cannot configure the Turbonomic installation or create policies.

      • Parker

        Users with this role can manually park (stop/start) workloads, manage parking schedules, and view all Turbonomic charts and data. However, users cannot place workloads, create policies and templates, run plans, or execute any recommended actions.

      • Deployer

        Users with this role can view all Turbonomic charts and data, use Place to reserve workloads, and create placement policies and templates. However, users cannot run plans or execute any recommended actions.

      • Advisor

        Users with this role can view all Turbonomic charts and data, and run plans. However, users cannot use Place to reserve workloads, create policies, or execute any recommended actions.

      • Observer

        Users with this role can view the environment, including the Home Page and Dashboards. Users can also use Search to set a scope to the session. For scope, only VM groups and Resource Groups are supported.

      • Operational Observer

        Users with this role can view the environment, including the Home Page, Dashboards, Groups, and Policies. Users can also use Search to set a scope to the session.

      • Shared Advisor

        Users with this role are scoped users. They can view the Home Page and Dashboards, but only see VMs and Applications. Users cannot execute Turbonomic actions.

      • Shared Observer

        Users with this role are scoped users. They can view the Home Page, custom dashboards, and application maps, but can see only VMs and Applications. They cannot view Executive Dashboards or execute Turbonomic actions. Shared Observer is the most restricted user role.

      • Report Editor

        Users with this role can create, edit, and delete reports. Due to limits to the reporting license, only one user per instance is allowed to have this role (by default, the local administrator user). To assign this role to another user, you must first remove it from the current user. Be sure that the new user is not a scoped user.

    • Authorization – Scope or Assigned groups (optional)

      You can limit what the user can monitor in your environment. For example, you can scope to a group that contains only the physical machines that support this user’s VMs or applications. Click Add scope or Add groups and choose which groups or clusters this user can see.

      Note:

      Under most circumstances, a scoped user cannot see actions for entities that are outside of the configured scope. However, when zooming in to Host entities, the user can see actions for storage that is outside of the user's scope if the hosts use that storage.

    • Permission

      The user permissions are different for each role.

    • When you are done, save the account.

  6. Configure External authentication.

    List of externally authenticated users

    For External authentication, you configure Turbonomic to use Single Sign-on (SSO) or Active Directory (AD) services to manage the credentials and authentication of users. You can create external accounts to authorize user groups or individual users.

    Points to consider:

    • If an external user is a named external user, Turbonomic authenticates the user with the permissions defined for that user, independent of membership in any of the configured external groups.

    • If an external user is not a named external user, Turbonomic considers the membership in a defined external group.

    • If a user is a member of multiple groups, Turbonomic authenticates the user through the first group that was returned during the SSO or AD authentication.

    • A user always maps to a single external user or external group created in Turbonomic, and then applies the corresponding role and scope.

    • Turbonomic does not support nested AD groups. AD logins must be for users in a top-level group.

    To enable SSO, you must configure access to the given IdP. For information about configuring SSO, see Single Sign-On Authentication.

    To enable AD you must specify either an AD domain, an AD server, or both. Turbonomic uses this connection for all AD users.

  7. Enable AD authentication.

    Edit Active Directory fly-out panel

    Click Active directory to manage the AD configuration.

    • Active Directory Domain

      To authenticate AD groups, specify a domain so that AD can find a user with the User Principal Name (UPN). If you specify a domain, but not a server, authentication uses any AD server from that domain. If you want to support only AD users and not groups, the domain is optional.

    • Active Directory Server

      To disable AD groups, specify a server but do not specify a domain. If you specify a domain and a server, authentication uses that server and also supports groups.

      When you configure an AD server, by default Turbonomic assumes the AD server port to be 389 or 636. To specify a custom port for the AD server, add the port number to the AD server IP address. For example, 10.10.10.123:444 sets port 444.

    • Secure

      Use a secure connection to communicate with AD servers. The AD domain must be configured to use LDAPS, and you must import a certificate into the Turbonomic server. Turbonomic can support LDAP channel binding and LDAP signing. To support these Active Directory features, you must configure secure access.

      For more information, see Enforcing Secure Access.

    • When you are done, save your changes.

  8. Create or edit an SSO or AD account.

    New External User fly-out panel

    This account can be for a user group or for a single user. To add a new account, click Add > New external user or New external group. To edit an existing account, click the account name. To configure an external account, specify:

    • Authentication

      Provide the group or user name for this account. The name you provide must meet certain requirements, depending on the type of account you are creating:

      • External Group - SSO

        Provide a name that matches a group the IdP manages.

      • External Group - AD

        The group name must match a group that is accessible from the domain and servers that you configured in EDIT AD.

      • External User - SSO

        Provide a user name that matches a user managed by the IdP.

      • External User - AD

        The username must be a valid User Principal Name (UPN). For example, john@corp.mycompany.com.

    • Authorization – User Role

      • Administrator

        Users with this role can use all Turbonomic features and modify settings to configure the Turbonomic installation. For Turbonomic instances hosted in the public cloud, this role is limited to the Turbonomic representative that manages the instances.

      • Site Administrator

        Users with this role can use all Turbonomic features and modify site-specific settings to configure the Turbonomic installation. Users can also administer Groups, Policies, Templates, Billing/Costs, and Target Configuration, but not Email, Licenses, Updates, and Maintenance. Users can create other user accounts, except accounts with the Administrator role.

      • Automator

        Users with this role can use all Turbonomic features (including Plan, Park, and Place), but cannot configure the Turbonomic installation or create policies.

      • Parker

        Users with this role can manually park (stop/start) workloads, manage parking schedules, and view all Turbonomic charts and data. However, users cannot place workloads, create policies and templates, run plans, or execute any recommended actions.

      • Deployer

        Users with this role can view all Turbonomic charts and data, use Place to reserve workloads, and create placement policies and templates. However, users cannot run plans or execute any recommended actions.

      • Advisor

        Users with this role can view all Turbonomic charts and data, and run plans. However, users cannot use Place to reserve workloads, create policies, or execute any recommended actions.

      • Observer

        Users with this role can view the environment, including the Home Page and Dashboards. Users can also use Search to set a scope to the session. For scope, only VM groups and Resource Groups are supported.

      • Operational Observer

        Users with this role can view the environment, including the Home Page, Dashboards, Groups, and Policies. Users can also use Search to set a scope to the session.

      • Shared Advisor

        Users with this role are scoped users. They can view the Home Page and Dashboards, but only see VMs and Applications. Users cannot execute Turbonomic actions.

      • Shared Observer

        Users with this role are scoped users. They can view the Home Page and custom Dashboards, but only see VMs and Applications. Users cannot see Executive Dashboards or execute Turbonomic actions. This is the most restricted user.

      • Report Editor

        Users with this role can create, edit, and delete reports. Due to limits to the reporting license, only one user per instance is allowed to have this role (by default, the local administrator user). To assign this role to another user, you must first remove it from the current user. Be sure that the new user is not a scoped user.

    • Authorization – Scope or Assigned groups (optional)

      The scope limits what members of this group can monitor. For example, you can scope for access to only the hosts that support this group’s VMs or applications. Click Define scope or Add groups and choose which entities this members of this group can see.

    • Permission

      The user permissions are different for each role.

    • When you are done, save the account.