vSphere Multitenancy Getting Started?

Hi There-

This may be a silly question but I’m having a hell of a time figuring out what I am supposed to do either via the documentation, forum posts, or just poking around the interface. We have a multi-tenant vSphere environment where groups are given a corresponding resource pool in vSphere. I want to explore some of the ManageIQ options for doing catalog/IaaS type automations that each group can use constrained to their resource poos, datastores, port groups, etc. I have added my entire vCenter server as a resource pool and created a couple child tenants in ManageIQ, but I cannot figure out for the life of me how to assign tenant permissions to vCenter components, i.e. give Tenant A access to Resource Pool A, Datastore A, etc. Am I blind or am I completely thinking about this in the wrong way?

I should add, my very first “easy” task that I decided to try doing was assinging VM “ownership” to a tenant, then setting some of the lifecycle policy stuff like the retirement dates that will trigger and alert owners for renewal and then either power the machine down if the date isnt renewed or allow the end user to renew the lease.

There are probably many ways of doing this, but I’ve used the following method which uses tags for tenancy and RBAC separation. The downside to this method is the overhead of tagging everything, but this can be automated to some extent.

I use 2 tag categories - ‘Visibility’ to determine what a group or tenant can see, and ‘Owner’ to determine who owns what. Visibility has a Single Value of ‘No’ as you probably want to assign this multiple times to various objects, and ‘Owner’ has a Single Value of ‘Yes’ as you probably only want an object like a VM to be owned by one group or person. You create a tag in each category for each tenant or group (depending how granular you want to make the RBAC).

Now you create your tenant groups. I normally create an admin-level equivalent with a role similar to EvmRole-administrator (probably edit this down slightly), and a user-level equivalent with a role similar to EvmRole-user. It’s often easiest to create custom roles based on the out-of-the-box ones to fine-tune what each group can see.

When you create the groups, add them to the appropriate tenant, and then use the ‘Assign Filters’ section to determine what each group can see. Select User is limited to specific tags, and pick Visibility as the category and your tenant or group name as the value.

Now the painful part - you need to find each infrastructure component and tag it accordingly. You probably want to tag some things like templates with all visibility tags, but other things like your resource pools and VMs with only the visibility tag of the intended tenant or group that will access it. The plus side is that tagging can be done from an automate script (and the API), so you can add the appropriate tags at the end of any workflow that creates things like VMs.

There’s a brief description of tenancy in the context of automate here, which shows the tenancy inherited object visibility rules (caveat: this was written for several versions ago, things might have changed).

Also this is a useful description of RBAC in ManageIQ.

Hope this helps.

Awesome, thank you for the info! I had thought that tags might be used in some way but this is very helpful to know that is the way to go.