In the previous post we went through installing and the initial configuration for vRealize log Insight (vRLI).
In this post we will go through the steps required to enabled Active Directory (AD) Authentication integration and setting up role based access groups.
This will allow for central management by using AD for users to access using there domain accounts and access permission to be based of AD group membership.
First step is to configure the AD authentication integration.
Logon to the log insight management console > Administration
Once under Administration go to integration > Authentication Configuration > Active Directory
Add in the AD details, I would generally create a AD service account for each LDAP service as it allows me to manage what account are being used for what service (The account should only need domain users rights and be set to deny interactive log for security).
I would also use Require SSL to encrypt the LDAP connection if your DC has a SSL cert that can be used, if not use standard port 389.
Next we need to go to Administration > Management > Access Control
To view Roles click on the role tab
The below are the default User roles, The default roles are fine for me so I wont be create any custom roles just assign the current roles using AD groups.
Below is each role and the description
|User||Users can access the full functionality of vRealize Log Insight. You can view log events, run queries to search and filter logs, import content packs into their own user space, add alert queries, and manage your own user accounts to change a password or email address. Users do not have access to the administration options, cannot share content with other users, cannot modify the accounts of other users, and cannot install a content pack from the Marketplace. However, you can import a content pack into your own user space which is visible only to you.|
|Dashboard User||Dashboard users can only use the Dashboards page of vRealize Log Insight.|
|View Only Admin||View Admin users can view Admin information, have full User access, and can edit Shared content.|
|Super Admin||Super Admin users can access the full functionality of vRealize Log Insight, can administer vRealize Log Insight, and can manage the accounts of all other users.|
Next we need to create groups in AD that will be used to allow access. I have create an Admin, Dashboard and Read only groups.
Last step is to add the group to vRLI, Go back to Administration > Management > Access Control and click on New Group.
Add in the group name and select the role to be assigned.
Once all groups are added we can test by adding a user to the group and confirming there access.
Open a new browser session and open the vRLI web management address and select Active Directory as the identify source.
The user account should be able to logon but only have a limited view compared to a full Admin.
In the next post we will go through querying logs and creating a dashboards.