I have been asked a few times when you may consider having a service account for the Log Insight UI. In general, all activities should be done by an individual user with their own individual credentials. Like most systems, I would advise against the use of the default admin account. There are a couple of scenarios though where a service account can be beneficial and I would like to discuss these scenarios in this post.
1. Content Pack Authors
Per the Creating Content Packs documentation, it is recommended to have a dedicated account per content pack being created. The reasons for this recommendation include:
- An individual user may wish to save non-content pack material in their user space.
- To make collaboration between users easier when creating a content pack.
2. Shared User Alerts
User alerts, those created on the Interactive Analytics page, are saved in user space. Today, there is no way to share a user alert with others users on the same Log Insight instance. While content packs can contain user alerts, when content pack user alerts are enabled, they are copied into the user space of the user who enables the alert. The problem with user alerts being saved in an individual’s user space is that others, including super admin users, cannot edit another user’s user space. This can result in multiple problems including a user alert that remains active after a user has left the company or a user alert that spams are large number of people while the user is on vacation. To mitigate this problem, a service account can be created where all user alerts are defined. With this approach, as long as multiple people have the credentials for the service account, multiple people can manage the alerts.
3. Partially Shared Queries
It is common for a single Log Insight instance to be used by multiple different groups within a company. The result is often different data sources that need to be visible to specific groups. Limiting data access is possible via RBAC. One potential problem is that while the data is hidden, the useful queries available from either Shared Dashboards or Content Packs are visible to all users of a Log Insight instance. This potential data leak — not of actual events, but of queries looking for particular events — can be mitigated by creating a service account that specific people can log into and creating “shared” queries under the My Dashboards user space. Since My Dashboards is private to an individual user, only those with the credentials will be able to see the queries and applicable results.
Bonus: Administrative Settings
While separate from user accounts granted access to the Log Insight UI, several administrative settings require entering credentials including Active Directory, vSphere integration and vRealize Operations Manager integration. If the credentials specified for any of these options expires than the functionality they provide will be lost until the issue is resolved. For example, in the case of Active Directory if the binding user credentials expire then users will not be able to log into Log Insight until the issue is fixed. Use of a service account can mitigate these potential problems.
© 2015, Steve Flanders. All rights reserved.