This post continues from the Operationalize Your World post. Do read it first so you get the context.
A common request among VMware Admin is to give their customers a self service access to their own VMs. The VM Owners should be given a simple portal, where they can easily see all their VMs and its performance. The solution in this blog is inspired by the work done in this video and this paper. We’ve reduced the visibility and supply a custom dashboard with super metric.
Naturally, VM Owners do not have access to vSphere, as that’s to deep into the kitchen. We are also not assuming that you have vRealize Automation or vCloud Director in-place. So this is just using vR Ops.
- Tenant can only see her own VMs.
- Tenant cannot see the underlying infrastructure. It is both irrelevant and not something you’re comfortable disclosing.
This is what the dashboard looks like. It has a simple ReadMe to guide tenant.
We’ve added visibility into how the IaaS is serving the VM. Provide that transparency to your customer, and you have a major advantage over the public cloud.
The tenant has very limited access to vR Ops. The following 3 screenshots show what have been removed.
As you can guess, there are 2 parts to the implementation:
- One-time setup.
- A general set up you do that is applicable to all tenants
- You develop your dashboards here.
- Per Tenant work.
- A tenant-specific setup that you need to do for each tenant.
- Things like creating an account for that tenant belongs here.
Create a role called Tenants. Purpose is to limit what features it can access
The tenant needs only 2 access, as shown below:
Create a group called Tenants. Only share the “My Virtual Machines” dashboard to this group. As a result, this group can’t see any other dashboards.
Ensure the group Everyone has 0 dashboards
Purpose is to limit what objects it can see. To recap, the Roles limits what features can be seen, while Group limits the objects.
Click the Objects, then select the Tenants role (which you created earlier). Do not provide any more access. So none of the object hierarchy is selected.
Create a group type. Call it Tenants. Each tenant will have 1 group and 1 group only.
Download the files. Import the dashboard and super metrics.
Create the Text Widget file and Resource Kind file. See the screenshot below as guide. The name has to be identical, and it is Case Sensitive.
[2 Nov 2016: Thank you Patrick Nganga for spotting that I miss 2 files. There are 4 that you need]
That’s all you need as the base. All the work below is now per tenant. So if you have 10 tenants, you need to repeat 10x. I know…
Create a group that contains all the VMs of a single Tenant. Best is to use the Tenant Name as the group name. If you organize the VMs properly in vCenter, by using vSphere Tags or Folders, you can take advantage of that. The example below is using vSphere Folder.
Once created, the group will appear under the Tenants group type. I’ve created 2 examples. Ensure the no of VM matches what it should be.
Create an account for each tenant. Give is full Administrator access. Just for temporary.
Login using this newly created account. I’d use another browser, and I do not want to logout from my administrator account. Go to Dashboard, select all dashboards except the one you want to show, and remove them from Home. See how it’s done below. Once done, the Visible on Home will show it’s not to be shown.
Log out the tenant account. Or simply close the browser.
Switch back to your administrator account. Remove the tenant administrator privilege, and map it to the Tenants role, as shown below.
Map the account to the associated group, and only to this group. This limits the visibility. Yes, this is how the “security” is done. I’m not sure if this is honoured by the API, but you can block the tenant ID from accessing via API.
- Tenant can only have 1 group. The Total is based on super metric that adds per group. It cannot add multiple groups as it does not know which groups to select.
- Alerts are not implemented yet.
- Tenant cannot change the alerts. For example, they cannot change their own threshold.
Hope you find the material useful. If you do, go back to the Main Page for the complete coverage of SDDC Operations. It gives you the big picture so you can see how everything fits together. If you already know how it all fits, you can go straight to download here.