6.1 Role-Based Access Control
Log file messages contain sensitive information about an infrastructure’s design that could create a significant vulnerability to an organization’s security if compromised. Securing this information and limiting its access to those required to perform specific and authorized job functions is a key part of any syslog system design. As with any service provider based IT platform, do not grant end users with access to the vRealize Log Insight infrastructure or details about its design.
vRealize Log Insight supports the ability to authenticate users using Active Directory instead of the vRealize Log Insight built-in authentication method. This provide auditable role-based access control by way of group membership, and also eliminates the need for administrative users to remember additional user names and passwords.
The following is a list of best practices to keep in mind when configuring role-based access control with vRealize Log Insight:
• Grant permissions using a privileged account and not a standard login account.
• Assign permissions to Active Directory groups, not individual user accounts. Avoid the use of vRealize Log Insight local accounts.
• Follow the “principle of least privilege”. Grant permissions only when needed, and provide only the minimum permissions required to meet a group member’s need.
• Create new Active Directory groups for vRealize Log Insight users and administrators. Avoid using built-in Windows groups or other existing groups.
• Use caution when granting root access to vRealize Log Insight.
When employing Active Directory in vRealize Log Insight you are required to provide credentials for a binding user. VMware recommends you use an Active Directory service account for this binding user mechanism. This will mitigate issues such as user credentials expiring or the user credentials becoming locked out, resulting in no Active Directory users being able to log into the vRealize Log Insight user interface.
