VMware Cloud Community
kallischlauch
Enthusiast
Enthusiast
‎03-11-2016 09:27 AM

vRA7: How hide Blueprints from other Business groups

I created several Blueprints as Tenant admin.

When I create a new Business Group the Business Group Manager can see (and consume) all Blueprints. Is there a way to restrict this?

I'm afraid the Business Group admins will not be able to cope with a real environment where there might be hundreds of blueprints total.

Further if security department creates a blueprint any BG admin gets to see this blueprint (and can possibly deploy in their own environment).

I was hoping that I can assign serrvice catalogs to the BG, so the admin can only pick from them?

Are there any better ideas? I was thinking of using custom properties. But I couldn't find a way to make a Blueprint non-shared.

I'm sure I'm overlooking a key functionality here. I think in vRA6.2 the Blueprint had a 'share' option that I seem to miss in vRA7

Kalli

0 Kudos
4 Replies
skoch
Enthusiast
Enthusiast
‎03-11-2016 03:47 PM

If I'm understanding what you're trying to do then this can be done through entitlements. You can create entitlements for each BG and then select what services, catalog items or actions you'd like them to have access to.

0 Kudos
kallischlauch
Enthusiast
Enthusiast
‎03-14-2016 04:55 AM

Thanks for response.  I can use entitlements to restrict BG users. So as BG manager I can define User-A can only use this service, this catalog item and yjose actions.

But nothing restricts the BGM.

If I create a new Business group and assign a user as BG admin. This user can assign any blueprint from the tenant to himself or anyone else in this business group.

How can I restrict that as tenant admin or at any other level? I don't want BA teams to be able to deploy all Blueprints from 'finance' and Tech support the ones from infosec team ?!

I think in 6.2 only 'shared' blueprints can be used outside that BG (can't check on that anymore). but in 7 I cannot find the option to unshare a blueprint.

I can't seem to find a way to mark a Blueprint as 'this BG only' or nail it to a specific BG using custom properties or similar.

I've tried by creating blueprints as different users etc. But noi matter what I do. Any BGM has ,full access over _all_ blueprints in the same tenant

0 Kudos
sascha_milic
Hot Shot
Hot Shot
‎11-13-2016 02:57 AM

Hi,

attached a example from my environment. I did it the un-recommended way, changing the DB directly, but following the API link (should work too 🙂

http://pubs.vmware.com/vra-70/index.jsp?topic=%2Fcom.vmware.vra.restapi.doc%2Fdocs%2Fcatalog-server-...

Navigate to /api/catalogItems/{id} and have a look at HTTP PUT methods and the Request Body which includes the SubTenant ID field.

SubTenant = Business Group

Preview file
19 KB
kallischlauch
Enthusiast
Enthusiast
‎11-16-2016 08:57 AM

Hey Sasha,

thanks for info it's good to know. It comes too late as I'm almost through the procedure to create a tenant for each of my Business Groups. You have no idea what kinda PITA this is going to be (having to manage this).

All of this only because there's a  check-box missing for a functionality that was there and still is there according to your screenshot.

its infuriating ... but thanks for sharing!!!

Kalli

0 Kudos