mrstorey303
Enthusiast
Enthusiast
‎12-05-2019 02:05 AM

RBAC / Object Visibility Controls

I'm expected the answer is a firm 'no', but are there any options for configuring RBAC and controlling visibility of the objects Skyline reports on?

The use case:  we run a shared vcenter model with at least 3 different tenants.  We permission off access to hosts and clusters using top-level datacenter folders, so when each tenant logs in, they only see the assets they are responsible for.

Is there something similar we can do within skyline?  I'd like to grant our tenants access to the Skyline dashboard but I'm unable to do this unless I can 'hide' the assets which they're not meant to see.

Thanks

Alex

Reply
fritschn
VMware Employee
VMware Employee
‎12-05-2019 08:14 AM

Hello,

In your circumstance, where you're using the vCenter Server datacenter object to limit visibility, you do have the capability to limit visibility within Skyline Advisor. However, to accomplish this, you won't use RBAC, but instead multiple Cloud Services Organizations. Focusing on the datacenter object, I'll walk through how you can accomplish this.

TENANT 1:

  • Create Cloud Services Organization for TENANT 1.
  • Install Skyline Collector virtual appliance for TENANT 1, only add the datacenter object within the Skyline Collector for TENTANT 1.
  • Add TENANT 1 users to the Cloud Services Organization for TENANT 1, granting access to the Skyline Advisor service role.

TENANT 2:

  • Create Cloud Services Organization for TENANT 2.
  • Install Skyline Collector virtual appliance for TENANT 2, only add the datacenter object within the Skyline Collector for TENTANT 2.
  • Add TENANT 2 users to the Cloud Services Organization for TENANT 2, granting access to the Skyline Advisor service role.

TENANT 3:

  • Create Cloud Services Organization for TENANT 3.
  • Install Skyline Collector virtual appliance for TENANT 3, only add the datacenter object within the Skyline Collector for TENTANT 3.
  • Add TENANT 3 users to the Cloud Services Organization for TENANT 3, granting access to the Skyline Advisor service role.

What you'll end up with is 3 Cloud Services Organizations, one for each tenant. Additionally, you'll have 3 Skyline Collectors, each with the same vCenter Server added to it, but you'll choose to Collect Only from specific data centers when adding the vCenter Server to the Skyline Collector, for each specific tenant. Within Skyline Advisor, each TENANT will only see information for the data center you have specified within the Skyline Collector.

You'll end up with an architect that looks similar to this:

Screen Shot 2019-12-05 at 11.12.43 AM.png

Each Cloud Services Organization will have it's own Skyline Advisor service. You can then grant access to each Cloud Services Organization (and Skyline Advisor) based upon the Tenant.

Within the Skyline Collector, here is where you choose to Collect only from select data centers.

Screen Shot 2019-12-05 at 11.02.45 AM.png

If you need assistance with this process, please let us know. Thank you.

Nick Fritsch,
VMware Technical Marketing Manager

View solution in original post

Reply
mrstorey303
Enthusiast
Enthusiast
‎12-05-2019 09:41 AM

Excellent!  Thanks for the detailed response.  Makes sense, I can work on this.

We actually have 3 vcenters in linked mode, UK, East Coast and West Coast US.  Because of this, I deployed three skyline collectors anyway, because at the time this was considered best practice for the collectors to pull data only from the same geographic region - I guess this still is the preferred approach?  In our case then, with 3 vcenters and 3 tenants, we'd be looking a 9 collectors?

It's no big deal, I can get it done - but I'll likely putting in a feature request to configure object visibility / permissions within a single cloud services org Smiley Happy

Many thanks for your help

Reply
0 Kudos
fritschn
VMware Employee
VMware Employee
‎12-05-2019 12:46 PM

Regarding the deployment of 3 Collectors, one in each region (UK, East US, West US), you're 100% correct, we recommend deploying a Collector in each geographic disperse data center.

Assuming you have 3 tenants in each data center, then yes, you're looking at 9 Collectors. Again, not a huge deal, but obviously, the fewer number of Collectors, the better.

Regarding your feature request to choose additional objects (beyond data centers), or limit the visibility based upon a Cloud Services Org, I have added it for PM review.

Anything more we can do to help, please let us know. Thank you.

Nick Fritsch,
VMware Technical Marketing Manager
Reply
0 Kudos