Multi-Tenancy in vrealize Orchestrator. vrealize Orchestrator 7.4

Similar documents
Using the vrealize Orchestrator Operations Client. vrealize Orchestrator 7.5

Using the Horizon vrealize Orchestrator Plug-In

Migrating vrealize Automation 6.2 to 7.1

Migrating vrealize Automation 6.2 to 7.2

Using the vrealize Orchestrator OpenStack Plug-In 2.0. Modified on 19 SEP 2017 vrealize Orchestrator 7.0

Using vrealize Operations Tenant App for vcloud Director as a Tenant Admin

IaaS Integration for Multi- Machine Services. vrealize Automation 6.2

Using vrealize Operations Tenant App as a Service Provider

VMware vrealize Code Stream Reference Architecture. 16 MAY 2017 vrealize Code Stream 2.3

PostgreSQL Solution 1.1

VMware vrealize Code Stream Reference Architecture. 12 APRIL 2018 vrealize Code Stream 2.4

Advanced Service Design. vrealize Automation 6.2

Using the Horizon vcenter Orchestrator Plug-In. VMware Horizon 6 6.0

Using the vcenter Orchestrator Perspectives Plug-In

IaaS Integration for Multi-Machine Services

vrealize Operations Manager Customization and Administration Guide vrealize Operations Manager 6.4

vrealize Automation Management Pack 2.0 Guide

Using the VMware vrealize Orchestrator Client

vsphere Upgrade Update 2 Modified on 4 OCT 2017 VMware vsphere 6.0 VMware ESXi 6.0 vcenter Server 6.0

Using the VMware vcenter Orchestrator Client. vrealize Orchestrator 5.5.1

Introducing VMware Validated Design Use Cases

AppDefense Getting Started. VMware AppDefense

vcenter Server Installation and Setup Modified on 11 MAY 2018 VMware vsphere 6.7 vcenter Server 6.7

Setting Up Resources in VMware Identity Manager 3.1 (On Premises) Modified JUL 2018 VMware Identity Manager 3.1

Foundations and Concepts. 20 September 2018 vrealize Automation 7.5

vcenter Server Installation and Setup Update 1 Modified on 30 OCT 2018 VMware vsphere 6.7 vcenter Server 6.7

vsphere Installation and Setup Update 2 Modified on 10 JULY 2018 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

Installing and Configuring vcloud Connector

Installing and Configuring VMware vrealize Orchestrator

Foundations and Concepts

vcloud Director User's Guide 04 OCT 2018 vcloud Director 9.5

Installing and Configuring vcenter Multi-Hypervisor Manager

vsphere Upgrade Update 1 Modified on 4 OCT 2017 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

Foundations and Concepts. 04 December 2017 vrealize Automation 7.3

Introducing VMware Validated Design Use Cases. Modified on 21 DEC 2017 VMware Validated Design 4.1

vsphere Replication for Disaster Recovery to Cloud vsphere Replication 8.1

Foundations and Concepts. vrealize Automation 7.0

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline 1.4

Using the vrealize Orchestrator Plug-In for vrealize Automation 7.0. vrealize Orchestrator 7.0

VMware vfabric Data Director Installation Guide

vrealize Operations Compliance Pack for PCI

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

vcloud Director Administrator's Guide

vsphere Replication for Disaster Recovery to Cloud

IaaS Integration for HP Server Automation. vrealize Automation 6.2

Image Management for View Desktops using Mirage

vcloud Director User's Guide

vsphere Update Manager Installation and Administration Guide 17 APR 2018 VMware vsphere 6.7 vsphere Update Manager 6.7

Using the vcenter Orchestrator Plug-In for vcloud Director 1.0

VMware vcloud Air User's Guide

Introducing VMware Validated Designs for Software-Defined Data Center

Tenant Administration. vrealize Automation 6.2

Using the vrealize Orchestrator Plug-In for vrealize Automation 7.0. vrealize Orchestrator 7.0 vrealize Automation 7.0 vrealize Automation 7.

Introducing VMware Validated Designs for Software-Defined Data Center

vsphere Replication for Disaster Recovery to Cloud vsphere Replication 6.5

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Installing and Configuring vrealize Automation for the Rainpole Scenario. 12 April 2018 vrealize Automation 7.4

vcloud Director Administrator's Guide

Microsoft Intune App Protection Policies Integration. VMware Workspace ONE UEM 1811

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Platform Services Controller Administration. Update 1 Modified 03 NOV 2017 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

VMware Mirage Web Manager Guide

Installing and Configuring VMware vrealize Orchestrator

vrealize Operations Management Pack for NSX for Multi-Hypervisor

Using the vcenter Orchestrator Plug-In for vcloud Director 5.5. vrealize Orchestrator 5.5

Developing and Deploying vsphere Solutions, vservices, and ESX Agents. 17 APR 2018 vsphere Web Services SDK 6.7 vcenter Server 6.7 VMware ESXi 6.

vrealize Code Stream Trigger for Gerrit

vrealize Production Test Upgrade Assessment Guide

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Installing and Configuring VMware vrealize Orchestrator. vrealize Orchestrator 7.3

VMware vfabric Data Director Installation Guide

Developing and Deploying vsphere Solutions, vservices, and ESX Agents

Request Manager User's Guide

vcenter Server Appliance Configuration Update 1 Modified on 04 OCT 2017 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

vcloud Director User's Guide

VMware Adapter for SAP Landscape Management - Release Note VMware Adapter for SAP Landscape Management

Advanced Service Design

Migration. 22 AUG 2017 VMware Validated Design 4.1 VMware Validated Design for Software-Defined Data Center 4.1

IaaS Configuration for Cloud Platforms. vrealize Automation 6.2

vrealize Infrastructure Navigator Installation and Configuration Guide

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

VMware vcenter AppSpeed Installation and Upgrade Guide AppSpeed 1.2

Installing and Configuring vcenter Support Assistant

Developing and Deploying vsphere Solutions, vservices, and ESX Agents

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

vrealize Suite Lifecycle Manager 1.0 Installation and Management vrealize Suite 2017

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Getting Started with VMware Cloud Assembly. 27 August 2018 VMware Cloud Assembly

VMware vrealize Configuration Manager SQL Migration Helper Tool User's Guide vrealize Configuration Manager 5.8

Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM. VMware Workspace ONE UEM 1811

vsphere Replication for Disaster Recovery to Cloud

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline Collector 2.0

IaaS Configuration for Cloud Platforms

AirLift Configuration. VMware Workspace ONE UEM 1902 VMware Workspace ONE AirLift 1.1

vcloud Automation Center Reference Architecture vcloud Automation Center 5.2

vrealize Operations Management Pack for NSX for vsphere 2.0

vcloud Director User's Guide

vrealize Orchestrator Load Balancing

Transcription:

Multi-Tenancy in vrealize Orchestrator vrealize Orchestrator 7.4

Multi-Tenancy in vrealize Orchestrator You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright 2008 2018 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2

Contents 1 Multitenancy in VMware vrealize Orchestrator 4 Overview of Multitenancy in vrealize Orchestrator 4 2 Enabling Multitenancy in vrealize Orchestrator 5 Enable vrealize Orchestrator Multitenancy 5 3 Tenant Isolation in vrealize Orchestrator 6 Isolation of Access Rights in a Multitenant Orchestrator Environment 7 4 Comparison of Single-Tenant and Multitenant Orchestrator Deployments 9 5 Managing Legacy Custom Content 10 Isolate Legacy Custom Content 10 VMware, Inc. 3

Multitenancy in 1 VMware vrealize Orchestrator Multitenancy VMware vrealize Orchestrator provides general information about the multitenant architecture introduced in VMware vrealize Orchestrator 7.4. Intended Audience This information is intended for the vrealize Automation system administrator, tenant administrators, and Orchestrator administrators. Overview of Multitenancy in vrealize Orchestrator vrealize Orchestrator 7.4 introduces a multitenant architecture where multiple vrealize Automation tenants can share a single external or embedded vrealize Automation instance. A tenant is an organizational unit in a vrealize Automation deployment. vrealize Orchestrator 7.4 introduces a multitenant architecture where multiple vrealize Automation tenants can share a single external or embedded vrealize Orchectration instance. This is the vrealize Automation instance that Orchestrator uses as an authentication provider. For more information about multitenancy in vrealize Automation, see Tenancy and User Roles in Preparing and Using Service Blueprints in vrealize Automation. The multitenancy feature in vrealize Automation is disabled by default to preserve backwards compatibility and because enabling it brings a major change to the user experience with the product. If you enable multitenancy in vrealize Orchestrator you cannot safely disable it after that. Note Only vrealize Automation authentication is supported when Multitenancy is enabled. VMware, Inc. 4

Enabling Multitenancy in 2 vrealize Orchestrator You can enable multitenancy only when Orchestrator is configured to use vrealize Automation as an authentication provider. Multitenancy is disabled by default. Enable vrealize Orchestrator Multitenancy Upgraded instances and new vrealize Orchestrator installations are configured to run in a single-tenant mode. To run Orchestrator in a multitenant mode, you must enable it explicitly. Note Turning multitenancy on is an irreversible change. Do not enable it if you are not aware of the purpose of the feature. Procedure 1 Log in to the Orchestrator Appliance Linux console as root. 2 Stop the Orchestrator server service and the Control Center service. service vco-server stop && service vco-configurator stop 3 Navigate to the /var/lib/vco/tools/configuration-cli/bin directory. cd /var/lib/vco/tools/configuration-cli/bin 4 To enable the multitenancy feature, run the vro-configure.sh script../vro-configure.sh enable-multi-tenancy 5 Start the Orchestrator server service and the Control Center service. service vco-server start && service vco-configurator start You successfully enabled the multitenancy feature in vrealize Orchestrator. VMware, Inc. 5

Tenant Isolation in 3 vrealize Orchestrator The Orchestrator multitenancy feature provides a certain level of isolation between tenants. After enabling multitenancy, the objects that Orchestrator manages split into a system scope and a tenant-specific scope. These objects are workflows, actions, packages, configurations, categories, policies, policy templates, tasks, workflow runs, and others. System Scope System scope is the semantic space that holds all the Orchestrator content that is shared between all tenants. The system content includes the following items: All objects included in the default Orchestrator plug-ins. Custom objects created before enabling the multitenancy feature. Objects created by the vrealize Automation system administrator. Predefined automation content (workflows, actions and other) that are managed by the system tenant and available for reading and invoking by all non-system tenants. Tenants have a read-only access to this content and cannot create, modify, or delete any system-scope objects. Tenant-Specific Scope Tenant-specific objects are associated with the tenant that created them. These objects can be workflows, actions, policies, policy templates, resources and others. Tenants can edit or delete content if they created it. They can run and view system content and their own tenant-specific content. Tenants cannot view, edit, or delete system scope objects or objects created by other tenants. Orchestrator Plug-Ins in a Multitenant Environment vrealize Orchestrator 7.4 does not support multitenancy of the Orchestrator plug-ins and plug-in inventory objects. Objects that belong to the plug-in inventory are a part of the system scope. Note Objects, such as endpoints and inventory items, that you create by running workflows from the plug-in library are visible and accessible by all tenants. VMware, Inc. 6

Multi-Tenancy in vrealize Orchestrator Resource Allocation The Orchestrator server resources, such as CPU, memory, storage, network bandwidth, database space, maximum number of workflow runs, thread pools, and others are shared between all tenants. If one of the tenants reaches the limit of the allocated resources, all other tenants that use the same Orchestrator instance are affected. Security The security isolation between tenants in vrealize Orchestrator 7.4 uses the system administrator and tenant administrator user roles as they are defined in vrealize Automation. For more information about user roles in vrealize Automation, see User Roles Overview in Preparing and Using Service Blueprints in vrealize Automation. Note The vrealize Automation system administrator must be a member of the Orchestrator administrators group that you enter in the Admin group text box when you configure the authentication provider in Control Center. User permissions that are configurable from the Orchestrator client do not correspond to any of the vrealize Automation user roles. You must configure them explicitly for a particular user or a group. For more information about setting user permissions, see Using the VMware vrealize Orchestrator Client. Isolation of Access Rights in a Multitenant Orchestrator Environment When multitenancy is enabled, the system administrator and the tenant users have different privileges to manipulate objects in Orchestrator. These privileges depend on whether the objects belong to the system scope or to a tenant-specific scope. VMware, Inc. 7

Multi-Tenancy in vrealize Orchestrator Table 3 1. Isolation Between Tenants Role System Content Tenant A Content Tenant B Content System Administrator and restore system-scope objects Run system workflows Monitor the runs of the workflows that the system administrator started Note Unless the account designated as a system administrator is also an administrator of one of the existing tenants, the system administrator cannot access or manipulate any tenant-specific content. Tenant A Administrator View system content Run system workflows Monitor system workflows started by any Tenant A user and restore objects that belong to Tenant A Run Tenant A workflows Monitor the runs of Tenant A workflows started by any Tenant A user Users from Tenant A cannot access any objects created by Tenant B users, except for the resources Tenant B users create by running workflows from the plug-in library. Tenant B Administrator View system content Run system workflows Monitor system workflows started by any Tenant B user Users from Tenant B cannot access any objects created by Tenant A users, except for the resources that Tenant A users create by running workflows from the plug-in library. and restore objects that belong to Tenant B Run Tenant B workflows Monitor the runs of Tenant B workflows started by any Tenant B user Solution User and restore system-scope objects and restore objects that belong to Tenant A and restore objects that belong to Tenant B Run system workflows Run Tenant A workflows Run Tenant B workflows VMware, Inc. 8

Comparison of Single-Tenant and Multitenant Orchestrator Deployments 4 Since version 7.4, Orchestrator can work in a single-tenant mode or a multitenant mode according to the business needs and demands. Single-Tenant Deployment Unless the multitenancy feature is enabled, Orchestrator works in a single-tenant mode. This means that all objects that form the Orchestrator content and runtime are shared between all users. You set different levels of permission on an object to limit the access that different users or user groups can have to the object. For more information about setting user permissions, see Using the VMware vrealize Orchestrator Client. Multitenant Deployment When multitenancy is enabled, the tenant-specific objects in Orchestrator are isolated between the vrealize Automation tenants and from the system-scope objects. Tenant users can see the tenantspecific content by logging in to the Orchestrator client with their user name, password, and tenant ID. Note The objects from the plug-in inventory are not multitenant. These objects are part of the system scope. VMware, Inc. 9

Managing Legacy Custom 5 Content After you enable the multitenancy feature in vrealize Orchestrator, all the existing objects become system-scope objects. Similarly to the objects and resources that are included in the Orchestrator platform out of the box, the custom objects that you created before enabling multitenancy are shared between all tenants in a readonly mode and only the system administrator can modify or delete them. Isolate Legacy Custom Content If you want to prevent the custom content from becoming a system-scope content, you can export the custom objects and resources as a package and delete them from the Orchestrator server before enabling the multitenancy feature. After enabling multitenancy, you can import these objects to a particular tenant or tenants. Note You can import the same package to multiple tenants independently. You cannot import to a tenant a package that exists in the system scope and you cannot import to the system scope a package that exists as a tenant-specific content. Prerequisites Verify that multitenancy is not enabled on your vrealize Orchestrator 7.4. Procedure 1 Log in to the Orchestrator client as an administrator. 2 Create a package for export. See Create a Package. 3 Export the package. See Export a Package. 4 Delete the exported package from the Orchestrator server. See Remove a Package. 5 Enable multitenancy. See Enable vrealize Orchestrator Multitenancy. VMware, Inc. 10

Multi-Tenancy in vrealize Orchestrator 6 Log in to the Orchestrator client as a tenant administrator to import the package to the particular tenant. 7 Import the package. See Import a Package. VMware, Inc. 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback