vRealize Operations Manager supports different authentication sources:

These are users maintained within vRealize Operations Manager. Password control is done internally. This is the recommended approach when no central LDAP/AD containing all tenant/customer users is available.

When available LDAP / Active Directory can be used to allow user access. Note that all LDAP sources will be listed at login. Therefore, VMware does not recommend using a per-tenant LDAP source. Instead, have a service provider-based LDAP source.

SAML-based authentication can be used in combination with a supported SSO system. It can be used in a service provider environment, but LDAP is easier to maintain in most cases.

This refers back to users with access to vCenter Server. They can be delegated access to vRealize Operations Manager objects as well. Note that vCenter Server authentication allows users to interact only with vSphere objects. This is not a suggested approach for tenant users. It can, however, be a reasonable approach for operations users.