vRealize Automation can be used to create private cloud or hybrid cloud that can be shared by a number of groups within a company.
vRealize Automation has a concept called Tenants that can be used to provide isolation between independent groups in shared cloud environment, where multiple companies, divisions or independent groups are using a common infrastructure fabric, Tenants are useful for isolating the users, resources and services from one tenant from those of other tenants.
A tenant can be compared to an organizational unit. For private clouds a tenant can be a business unit within enterprise. In hybrid clouds it can be a company that subscribes to cloud services from a service provider.
In Multi-Tenant environment each tenant has unique configuration policies that are specific to that tenant. Let’s look as some of the attributes that define a tenant.
- Each tenant has one or more identity stores that are used to authenticate users. These identity stores can be either Active Directory or any Open LDAP directory service.
- The management portal can have its own URL. and the portal can have unique branding specific to that tenant.
- Tenants can also be divided up into smaller organizations called Business Groups.
The default tenant which is created during the vRA deployment is vsphere.local. We can add additional tenants using the system administrator account.
The system administrator can manage system-wide configurations in the default tenant. These configurations include global system defaults for branding and notifications, and monitoring system logs.
Before jumping into tenant configuration lets have a look onto default roles that are available in vRA. vRA offers the below mentioned 3 roles:
System Administrator: This is for performing initial configuration of vRA such as configuring SSO, creating new tenant, setting up AD authentication for default tenant etc.
Infrastructure Administrator: The Infrastructure administrator is responsible for managing endpoints and endpoint credentials, and creating fabric groups.
Tenant Administrator: create custom groups within their own tenant and add both users and groups defined in the identity store to custom groups.
If you want to read more about Roles and permissions I would recommend watching this video
Configure the Identity Stores for the Default Tenant
Each tenant requires at least one identity store. Identity stores can be OpenLDAP or Active Directory. Active Directory in native mode is supported for the default tenant only.
If you have missed earlier posts of this series then I would recommend reading them first before going ahead. You can access the earlier posts from below links:
In this post we will learn how to configure the default tenant.
To start configuring the default tenant open your browser and type URL https://vRA-FQDN/vcac/ and login with user firstname.lastname@example.org
After successful login you will be able to see the default tenant (vsphere.local) under Tenants. To add new tenants to your infrastructure you can click on + button.
In this post I am not creating any new tenant and will be only configuring the default tenant. Click on tenant vsphere.local to edit the settings.
Go to Identity Stores tab and click on + button
1: Enter a name in the Name text box.
2: Select OpenLDAP or Active Directory from the Type drop-down menu. I am using AD in my lab.
3: Enter the URL for the identity store in the URL text box in the format:
4: Enter the domain for the identity store in the Domain text box.
5: (Optional) Enter the domain alias in the Domain Alias text box.The alias allows users to log in by using userid@domain-alias rather than userid@identity-store-domain as a user name.
6: Enter the Distinguished Name for the login user in the Login User DN text box.Use the display format of the user name, which can include spaces and is not required to be identical to the user ID.
For example, cn=Demo Admin,ou=demo,dc=dev,dc=mycompany,dc=com.
7: Enter the password for the identity store login user in the Password text box.
8: Enter the group search base Distinguished Name in the Group Search Base DN text box.
For example, ou=demo,dc=dev,dc=mycompany,dc=com.
9: (Optional) Enter the user search base Distinguished Name in the User Search Base DN text box.
For example, ou=demo,dc=dev,dc=mycompany,dc=com.
10: Click Test Connection.
11: Click Add.
Click on Administrators tab to add tenant admin and infrastructure admin. Type the name in the search box and it will populate with valid choices.
When complete click Update.
To test the assigned role , login to your vRA portal using infrastructure admin and tenant admin credentials.
I created vrainf-adm username in my AD for Infrastructure Admin role and vratenant-adm for Tenant Admin role
My vrainf-adm is able to login to vRA portal successfully.
Now I will test my tenant admin credential.
So both my infra-admin and tenant-admin can login to vRA portal.
We are done with configuring default tenant here.
In Next post of this series we will look into:
Share this post on social media if this post is informational to you. Be Sociable 🙂