Solved: Re: Use Tenants or Business Groups to Segragate De...

twoton · ‎02-15-2017

Hello-

I have what will hopefully be a quick question... I am in the process of setting up vRA for use in my companies vSphere environment. I work for a specific division, and that division has separate groups, each with their own IT administrators. I would like to set up vRA in such a way that each IT admin can be the masters of their own domains, giving them permissions to create their own blue prints, software components, define their own end users, etc. but within the confines of the resource reservations that I define. I originally thought I could do this with a single tenant and separate business groups, but what I am finding is that in order to give the group IT admins permissions to create and edit their own catalog items, they have the ability to see other groups stuff and in some cases modify it.

For example, if I give the following roles to the IT admin user groups...

-Approval Administrator

-Container Administrator

-Container Architect

-Software Architect

... then each group admin can edit their blueprint/software component designs, but they can also see and activate/deactivate the Services of the other group. Is there something I am missing in order to prevent this from happening, i.e. is it an unecessary permission that I have granted or a missed setting to hide/isolate the items from showing up to different business groups, or is what I am trying to do not possible without separating out the groups to their own tenant spaces?

jhague · ‎02-15-2017

‌I think the problem is that the likes of the Architect roles are tenant wide roles so it assumes you have that degree of trust within your tenant and then the business group is more an organisational concept (departmental Sales, Marketing etc.) with more limited isolation. If you have multiple IT departments and you want them to be largely autonomous, able to create blueprints but for them also to be hidden from others then I think you should be looking at multi-tenancy but keeping the IaaS and Faric Admin roles within the default tenant so only you are able to add endpoints, create and assign reservations etc.

View solution in original post

jhague · ‎02-15-2017

‌I think the problem is that the likes of the Architect roles are tenant wide roles so it assumes you have that degree of trust within your tenant and then the business group is more an organisational concept (departmental Sales, Marketing etc.) with more limited isolation. If you have multiple IT departments and you want them to be largely autonomous, able to create blueprints but for them also to be hidden from others then I think you should be looking at multi-tenancy but keeping the IaaS and Faric Admin roles within the default tenant so only you are able to add endpoints, create and assign reservations etc.

twoton · ‎02-16-2017

Ok, thanks. I was starting to think that was the case but hoped to avoid setting up individual tenants. Good to know for sure though, thanks again!

kallischlauch · ‎02-16-2017

in vra 6.2 it was possible to create blueprints per BG. In fact they always were down to single BG and only when marked as shared they can be seen by others.

for some reason VMware scrapped this in vra7 and everything is available to everyone and you have to go through the cumbersome process of working with multiple tenants.

it is possible with DB hacks to work around it, but to stay supported I had to create 30 tenants. Royal PITA

All

Use Tenants or Business Groups to Segragate Design Blueprints and Software Components?