Typically in vCD-SP you create an Organization for each tenant/customer and then 1 or more VDCs for each Organization to provide their resources.
In your use-case where tenants may or may not need to log in there are a number of ways you could achieve this, the main ones being:
1) Single Organization / 1 VDC - shared by every tenant
2) Single Organization / VDC for each tenant
3) Organization per tenant / 1 (or more) VDCs each
Worth noting that:
- Storage is allocated per VDC, so if you split each tenant into its own Org/VDC you'll need to administer storage allocations for each separately.
- OrgVDC networks can only be shared between VDCs inside a single Organization, so if you need the hosted VMs to share an internal network they need to be in the same Organization.
- External networks can be used by multiple tenants/Organizations (e.g. the 'uplink' interface on your Edges).
You may have issues allowing a customer to administer 'just their own' Edge Gateway in 1) and 2) since the edge gateway roles assignment in the security model will apply to ALL edges in the VDC.
I would also strongly advise you not to do 2), setting security permissions in this scenario will be awkward since the 'Organizational Administrator' role will see all Org VDCs and you will need to create custom roles to limit scope to a single VDC.
It sounds like the 'best' fit for your requirement would be option 3, if your web team are 'system' level administrators they will automatically be able to see and administer all the tenant Organizations and VDCs, but tenants will only ever see their own resources (VMs and Edge Gateway). Doing it this way also allows your tenants to federate access back to their own directory service (e.g. ADFS) if they want to.
