vCenter Chargeback User Contexts

So there is always a question that comes up when we install vCenter Chargeback with vCloud director.  In most cases folks, ask the same question.  “Which interface do I use to access the tool”.  What they are referring to is the fact that there is the Web interface as well as the vCenter plugin interface available.  I did some poking around and what is curious that each method of accessing the interface provides different views based on the user context.  Yes I know it confused me for a bit too, so what I wanted to do was shed some light on the subject by providing a few screen shots and some views from my lab.  What I won’t get into is the installation and configuration.  The install is pretty basic, and the configuration can be tricky depending on if you are using it WITH vCloud director or standalone.  Maybe that will be a topic for another post.  For now let’s just look at the views AND roles available based on the different methods of login.

Local Web Portal Logins

For those that have installed vCenter Chargeback, you know the first and only login is for the locally assigned system administrator.  You can also setup other local accounts that are not tied to LDAP.  The advantage here is that you MUST login using the web portal and you can make any local users SuperUsers allowing them to see all globally configured items.  Bear in mind there are certain things that you configure as a superuser that affect all views and others that are then only available when signed in as another user context.

LDAP Web Portal Logins

LADP can be setup from the original administrator superuser and allows Web based login access to any LDAP user assigned by the local system admin.  The main issue here is that NO LDAP user can be made a Super user.  The highest level is the Administrator Role.  This means many things you configured as the SuperUser will not show up as an Administrator role including the vCenter connections as well as the pre-configred vCloud or custom Hierarchy views.  For that each user or LDAP group needs to be assigned a Heirarcy Manager Role as well as some of the cost roles.  Once those are assigned everything pulls through.  Now this is where it gets interesting.

vCenter Plugin Logins

You would think that if you’re LDAP account was properly assigned in the Chargeback web screens you would be able to flip over to the vCenter Client assuming you are using the same LDAP user and see all the same things.  However that is NOT the case.  Chargeback 1.5 treats the vCenter Plugin connection as a DIFFERENT user context all together.  However, the advantage is that you can actually assign THAT user a SuperUser Role unlike the LDAP web portal user.  This means all the items you configured as a SuperUser context will now be visible to you through the vCenter Client.  Below you can see that the connection from the vCenter Plugin is actually logged as a different login type and server.  This means the same user account can have different views in the Client PLugin versus the web login.

Screen Views of Different User Contexts

As you can see from the four screens below the Local Admin, LDAP, and vCenter Plugin views are different user contexts.  Anything configured as the “Local Admin” will only show up to OTHER SuperUsers which can only be set as local accounts or as you can see by the vCenter Plugin Users.  the LDAP user even though an Administrator does not see the Hierarchy unless that user or group is specifically assigned as a Hierarchy manager.

ChargeBack User Contexts (Click to Enlarge)
Web Console Local Admin Login (Click to Enlarge)
Web Console Logged in as LDAP "Administrator Role" (Click to Enlarge)
vCenter Client Plugin Logged in as LDAP User (Click to Enlarge)

Which Context Is Best to Use?

Well that is really up to you.  The bottom line is you need to decide WHICH method of access will be used.  For example if the vCloud admins setting up Chargeback will also have vCenter access to the vCenter Management node that Chargeback is registered with the vCenter server maybe the plugin is the best.  If some users will only have certain roles and they do NOT have vCenter access then you will need to configure that LDAP user.  What you probably want to avoid is having both a vCenter Plugin user also configured as an LDAP user.  If you do that user may get confused on the access they have.  Also remember that anything you configure like the vCenter connection and some other attributes configured as a Super User may not be seen by an “Administrator” role.  The user context views can be tricky but hopefully this helps you decide which is best for your organization.

About Chris Colotti

Chris is active on the VMUG and event speaking circuit and is available for many events if you want to reach out and ask. Previously to this he spent close to a decade working for VMware as a Principal Architect. Previous to his nine plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spends a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. In his spare time he helps his wife Julie run her promotional products as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years.

Leave a Reply

Your email address will not be published. Required fields are marked *