Administration Guide › Managing Virtual Environments › VMware vSphere and vCenter Server › User-scoped Authentication for vCenter Server

User-scoped Authentication for vCenter Server

You can enable user-scoped authentication for vCenter Server environments by adding a configuration entry to the caaipconf.cfg file located in the Install_Path\productname\conf directory. Because this entry does not exist after installation, user-scoped authentication is disabled by default. In this case CA Virtual Assurance uses the user for vCenter Server authentication who is specified in the vCenter Server configuration pane under Administration.

In contrast, enabled user-scoped authentication uses the currently logged in user (user interface) for authenticating vCenter Server environment operations. User-scoped authentication implies that appropriate users and their permissions are specified in vCenter Server. The same users also must be specified in CA EEM to log in the CA Virtual Assurance user interface.

To enable user-scoped authentication

1. Specify the required users and their permissions (administrator or read-only) in vCenter Server.
2. Specify the same users in CA EEM.
3. Change to the CA Virtual Assurance manager server and navigate to the Install_Path\productname\conf directory.
4. Open the caaipconf.cfg file with a text editor and add the following entry to the AIP product section:

   <property name="USER_SCOPED_AUTHENTICATION">
       <value>VC</value>
       <displayName>The vCenter PMM component uses the currently logged in user for authenticating vCenter Server platform operations.</displayName>
   </property>
   

   Result:

   <properties targetNamespace="http://www.ca.com/cfg/types/2008/05">
       <product name="AIP">
          ...
          <property name="USER_SCOPED_AUTHENTICATION">
             <value>VC</value>
             <displayName>The vCenter PMM component uses the currently logged in user for authenticating vCenter Server platform operations.</displayName>
          </property>
          ...
       </product>
       ...
   

5. Save the file.

   CA Virtual Assurance automatically detects the change.

6. Verify that a currently logged in user has the same permissions in CA Virtual Assurance for managing the VMware environment as specified in vCenter Server.

Note: If you want to disable user-scoped authentication, remove the entry from the caaipconf.cfg file.

Example

Initial scenario: During a CA Virtual Assurance installation, the user CA has been configured to log in the CA Virtual Assurance user interface. On vCenter Server, administrator is the user with administrator permissions. CA Virtual Assurance is configured to use administrator for authenticating vCenter Server environment operations (see Administration tab, vCenter Server Configuration page in the user interface). User-scoped authentication is disabled by default.

This scenario conforms to a full installation and an appropriate vCenter Server configuration.

Assume the following:

• Two additional users are configured on the vCenter Server: Superuser (administrator) and Reader (read-only permissions)
• Superuser and Reader are added to CA EEM
• User-scoped authentication is enabled

When you log in CA Virtual Assurance as Superuser, then you have administrator permissions for managing vCenter Server.

When you log in CA Virtual Assurance as Reader, then you have read-only permissions for monitoring vCenter Server.

When you disable user-scoped authentication, everyone who logs in CA Virtual Assurance has vCenter Server administrator permissions. In case of disabled user-scoped authentication, CA Virtual Assurance uses the user administrator specified in the vCenter Server Configuration pane under Administration in the user interface (see also the initial scenario of this example).