Re: Global Entitlements

SeanKohler · ‎04-08-2015

Does anybody know if there are any plans/discussions around having an Entitlement that crosses business groups?

In a certain operational model that allows for both self service server requests, but ALSO managed support... there could be a need for a GROUP of people to have the same Resource Actions in every business group.

For example, maybe you have a Windows Engineering team who will support machines in each business group, but won't be doing catalog or service requests. The way that we have been handling that based on how vRA is set up is to:

1. Have a BASE entitlement for the business group which defines what the BASE AD Group can request, including: Services of Catalog Items and Resource Actions (we are trying not to use direct Catalog Entitlements)

2. Have another entitlement for a Support Group which has Resource Actions defined (some actions are different than the Base entitlement).

Due to operational constraints in our environment, it is actually 6 such entitlements (1. Base, 2. Cloud Engineering, 3. Windows Engineering, 4. Linux Engineering, 5. Ops Bridge Engineering, and 6. the vRO based vRA-Plugin-Service-Account).

If all 6 types of Entitlement groups need a new action, we have to add it 6 times per business group. We plan on having 50 business groups. That is 300 times adding an action and prone to error.

I have automated around the potential for errors and manual effort through a set of defined Element Arrays (of Resource Actions) in vRO and ASD.... so we update ONE array for each Entitlement type and then stamp the defined array across the appropriate business group entitlements, but the reality is that I wouldn't need to do that for the Entitlements that are exactly the same across ALL the business groups (support teams and service account) IF the product supported what I will call Global Entitlements. I should be able to create an entitlement of actions for an AD group of users, and then check the business groups where I want that entitlement linked.

I know that is backwards to how the product currently works with entitlements rolling up under a business group.

Thoughts? Other ways? Things I am missing?

SeanKohler · ‎04-08-2015

GrantOrchardVMware ... borrowing this from you, sir.

Please visit grantorchard.comNavigating the vCAC 6.0 Logical Model - grantorchard.com, for the full Logical Model.

Desired Update Capability (without detracting from the capabilities of the initial entitlement model)

GrantOrchardVMw · ‎04-08-2015

I see what you mean. The entitlement itself is within the context of the BG. Let me see if I can entice one of the PMs in here to respond. Roadmap pieces are typically NDA, so I'm not sure how much info you'll get in the public arena

Grant

Grant http://grantorchard.com

SeanKohler · ‎04-08-2015

Lol... thank you. I will also pull this private through a feature request, but I really want to make sure I am not far off base. Maybe there is some magical button I am just completely unaware of. And of course it would be the button right under my nose, because that is always how those things go.

stvkpln · ‎04-08-2015

Our (not very elegant) solution was to create a second entitlement for the support role capability... In my case, there's enough differences between groupings of BG's that it wasn't that much of a stretch I'd have to do this a few times because there's only so much adjacency of a person to a set of BG's.. It's not ideal, but at the same time, if governance is important to your organization, it's almost better to know exactly who has rights against the provisioning boundary (which, for all purposes of discussion, is the BG, as odd as that may seem).

But, I've made the comment in various channels (and to certain PM's that I'm sure GrantOrchardVMware can guess the who) on one or two other things that irk me something vicious. Lots of vitriol when it comes to permissions on the whole.

-Steve

SeanKohler · ‎04-09-2015

Thanks Steve...

You and I have had prior discussions regarding permissions, I think.

I have some ideas around ways to have a Global Entitlement that is universally implemented but still presented within the current provisioning boundary of the Business Group. I am going to share those with VMware privately.

I am also trying to play around with writing fully formed entitlement objects into different Business Groups. I think with .setPriorityOrder(integer), I can:

1. Modify a Golden Entitlement (as a template) in a Golden Business Group.

2. Delete existing Support Entitlement in target business group(s).

3. Write Golden Entitlement into target business groups and set priority. (back to original priority order)

All

Global Entitlements