Wednesday, December 17, 2014

vCAC 6: Configuring IaaS-Tenants and Roles

This blog will cover configuring IaaS. In the last we learnt about IaaS installation

in this blog  we will discuss Tenants and Roles

A tenant is an organizational unit in a vCloud Automation Center deployment. When the system administrator configures single sign-on during the installation of VMware vCloud Automation Center, a default tenant is created. The default tenant includes a built-in  system administrator account to log in to the vCloud Automation Center console.If only one organizational unit is necessary for a deployment, the system administrator can then configure and use the default tenant.

There is a Division of Tenant and Non-Tenant Entities. Non-tenanted entities are visible and
consumable by all tenants. This means non-tenanted items like Build Profiles and Reservation
Policies are consumable in some tenanted objects, like blueprints.

To access the default tenant:
1.   Go to https://VCAC_Server_FQDN/shell-ui-app.

2.   Use the system administrator account(administrator@vsphere.local) to create additional tenants,
manage identity sources, and configure system roles.

In a single-tenant deployment, all configuration occurs in the default tenant. The tenant
administrators manage users and groups. The administrators also configure branding, notifications,
business policies, and catalog offerings.

In a single-tenant scenario, the system administrator and tenant administrator roles are typically
assigned to the same person, but the accounts are distinct. The system administrator account is
always administrator@vsphere.local, while the tenant administrator must be a user in one of the
tenant identity stores.

In a multitenant environment the system administrator creates new tenants for each organization:
Each tenant has a unique URL to access the vCloud Automation Center console:
    https://vcac_hostname/shell-ui-app/org/tenant_ URL_name
  • Tenant-level configuration for new tenants is segregated from the default tenant. 
  • Users with system-wide roles can view and manage configuration across multiple tenants.
A multitenant environment can be deployed in the following ways:
  • Default tenant-managed multitenancy
  • Individual tenant-managed multitenancy
Individual Tenant-Managed Multitenancy

In tenant-managed multitenancy, each tenant might have a dedicated infrastructure or use shared
infrastructure. Each tenant has IaaS administrators and fabric administrators that manage resources
for business groups in their own tenant.

Each tenant must be associated with at least one identity store. Identity stores can be OpenLDAP or Active Directory (AD). For a default tenant, you can also use AD in native mode.

System-Wide Roles

System administrator: The system administrator is typically the person who installs vCloud
Automation Center and is responsible for ensuring its availability for other users. 

Infrastructure (Iaas) administrator: The IaaS administrator is responsible for managing
endpoints and endpoint credentials, and creating fabric groups.

Fabric administrator: A fabric administrator is the administrator of one or more fabric groups.
Fabric administrators manage physical machines and compute resources in their groups, and
manage reservations and reservation policies associated with those resources. 

Tenant roles have responsibilities that are limited to a specific tenant, and cannot affect other tenants
in the system. Tenant roles are of the following types:
Tenant administrators: Tenant administrators are typically the business manager or IT administrator who is responsible for a tenant. Tenant administrators configure vCloud Automation Center according to the needs of their organizations. The responsibilities of tenant administrators include the following:
• User and group management.
• Tenant branding and notifications.
• Business policies such as approvals and entitlements.
• Tracking resource usage by all users in the tenant.
• Initiating reclamation requests for virtual machines.
• Managing business groups and shared blueprints in IaaS.

Approval administrator: An approval administrator has the ability to define approval policies.
These policies can be applied to catalog requests through entitlements that are managed by a
tenant administrator or business group manager.

Service Architect: This is role designation for the individuals who are responsible for creating
the blueprints for the catalog items that consumers can request from the service catalog

Business Group Manager: The business group manager is designated by the tenant administrator when creating or editing business groups. Manages one or more business groups. Typically a line manager or project manager. Business group managers manage catalog items and entitlements for their groups in the service catalog. 

• Support user: The support user is a role in a business group. Support users can request and
manage catalog items for other members of their groups. A support user is typically an executive administrator or department administrator.

• Business user: Any user in the system can be a consumer of IT services. Users can request
catalog items from the service catalog and manage their provisioned resources.

• Approver: As part of an approval policy, any user of vCloud Automation Center, for example, a
line manager, finance manager, or project manager can be designated as an approver

No comments:

Post a Comment

Featured Post

Amazon Route 53

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service.Route 53  perform three main functions in any...