In short: we will create a new Role to view dashboards, assign this role to the new db-group and create a db-user. The goal is to create a user who is able to log in and see only assigned dashboards (privilege) which would display only display the part of the environment this user is entitled to see (access permissions).
We will also need to remove and hide three default dashboards from being assigned to each new user.
1. Creating a role, a group and a local user
In order to create a role, go to Administration -> Access Control -> Roles and hit the + icon:
2. Create a new db-group (user group)
Go to Administration -> Access Control -> User groups create a group called db-group
Assing the role of db-viewer to this group and select applicable objects (in my case a vcenter vcInf-01) . You will be able to select objects only after you checked "Assign this role to the group" box.
3. Unshare all dashboards shared to "Everyone"
We want to get rid of the dashboard which are shared to "Everyone" by default. Just log in as admin, go to Content -> Dashboards
3.1 Select and un-share
Select all the shared dashboards (Click + Shift will allow to select multiple). In the example below I have 50 dashboards shared to "Everyone" and I will un-share all of them in order to share a specific dashboard later on. You may need to go through multiple pages (as sorting is not implemented in this dialog) and select the shared dashboards on the subsequent pages. Don't forget to press "Save" button!
3.4 Assign a test dashboard to db-group
Go to Content -> Dashboards and drag and drop the dashboard on the db-group. Save!
5. Log in as db-user01
And surprisingly you will not only see the assigned dashboard but also the three default dashboards (Recommendations, Diagnose and Self Health)
Beside of that annoyance, assigning the dashboard and limiting user rights and permissions works as expected. We will get rid of the default dashboards in the next steps.
6. Remove default dashboards (Recommendations, Diagnose and Self Health) for the group
There is a KB Article explaining in detail how to get rid of the three default dashboards. Basically it involves two steps : prevent those dashboards to be copied to any new users (on first log in) and remove or hide the dashboards from existing users. Both steps have to be done on command line, so you have to log in to your vR Ops through console or SSH (ssh has to be enabled first).
http://kb.vmware.com/kb/2133879
6.1 Preventing dashboards to be copied for new users
vrops01-prod:~ # mv /usr/lib/vmware-vcops/tomcat-web-app/webapps/vcops-web-ent/dashboards/ootb/All.json /root/All.json.$(date +%F)
This will move All.json default dashboards to /root and prevent the copying of it for each new user log in.
6.2 Hiding dashboards from existing groups / users
1) Change to the opscli directory
cd /usr/lib/vmware-vcops/tools/opscli/
2) Run a command:
vrops01-prod:/usr/lib/vmware-vcops/tools/opscli # ./ops-cli.sh dashboard hide group:db-group all
Starting vRealize Operations CLI 2015-12-11 12:28:36,128 Starting command Command: dashboard:hide 2015-12-11 12:28:36,147 Connecting to server 2015-12-11 12:28:40,008 Try to login with maintenanceAdmin SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. 2015-12-11 12:28:40,074 Successfully logged in. 2015-12-11 12:28:40,075 Successfully connected to server 2015-12-11 12:28:40,132 Successfully hiden dashboard all for user [db-group]. The configuration transformation will be scheduled in background. 2015-12-11 12:28:40,132 Triggered Command: dashboard:hide