Ok, so we have the latest ManageIQ out of the box with a vCenter as the sole provider. The plan was to then carve things up using Tenants, so they can solely see their own VM’s etc…
Created a Child Tenant/Group and User for “Client” and assigned their group as their VM’s owner. Logged in as said tenant and can only see their VM’s. Great!
However on playing further, seems there are a few problems with the permissions:
That client can then no longer see any templates ( tried setting these to “no group” as owner ).
Similar to this post but i am already on v2: [SOLVED] Users from a group asigned to a Project/Tenant other than parent tenant can’t see vm/templates. Which makes sense, but there is no way of say creating a Public group and assigning that clients group to also be a member as well as the Project/Tenant.
If their Role has “Resource Pools/Datastores” checked, they can see all resources not just their own ( tried limited the group to their datastores under group settings/host & clusters, but the tick boxes on their resource groups never seem to save/stay ticked? Not the end of the world, can just hide them from the user but something to consider.
As per above, if the role also has the “Access Control” section checked, they can create/edit all users not just those that belong to that Tenant.
The custom logo disappears for Tenants, if i enable that permission. I can see it’s is still there and ticked to be used, but on Tenant logons it no longer shows.
I believe the Tenant feature is quite new, so all of the above may already be in progress. But could not find any specific mention, so thought i would post my findings so far.