VCP6-CMA Section 4: Configure and Administer Tenants and Business Groups

Contents:

Objective 4.1: Create and Manage Business Groups

Describe specific privilege levels for different business group roles

  • Three business group roles exist
  • The Tenant Administrator assigns users to these roles
  • Business Group Manager
    • Can manage catalog items
    • Can manage entitlements
    • Can request and manage items on behalf of users in their group
    • Can create and publish business group specific blueprints
    • Monitor resource usage in a business group
    • Service Architects in IaaS
  • Support User
    • Can request and manage items on behalf of other users within their group
  • Business User
    • Can request and manage their own services

Manage user roles  (e.g. Business Group Manager and Support)

  • To manage business group user roles:
    • Log in as a Tenant Administrator
    • Click the Infrastructure Tab
    • Select Groups
    • Select Business Groups
    • From here you have the option to add identity store users to one of three roles:
      • Business Group Managers
      • Support Users
      • Business Users

Assign Active Directory users and groups to business group roles

  • This requires that you have a Native Active Directory or Active Directory Identity store configured for the tenant
  • Log in as a Tenant Administrator
    • Click the Infrastructure tab
    • Click Groups
    • Select Business Groups
    • You now have the option of entering a username/group in to the search field for each role
    • Select the desired user or group from the results and click OK

Create and manage machine prefixes

  • Machine prefixes are used to generate the names of provisioned machines
  • Machine prefixes are shared across all tenants
  • Every business group must have a default prefix and every blueprint must have a prefix or use the business group default
  • Fabric Administrators can create machine prefixes
  • Tenant Administrators assign a machine prefix to a tenant when it is created
  • Tenant Administrators can change the machine prefix assigned to a business group
  • To create a new machine prefix:
    • Log in as a Fabric Administrator
    • Click the infrastructure Tab
    • Click Blueprints
    • Click Machine Prefixes
    • Select New Machine Prefix
    • Configure the following fields:
      • Machine Prefix – identifier for provisioned resource (e.g. wwwdev)
      • Number of Digits – Number of digits to include after the machine prefix. These increment by 1 each time a resource is deployed
      • Next Number – This can be 0 to what ever you want
      • Click the green tick
  • You can select a machine prefix from within a business group

Identify and configure custom properties

  • You can use custom properties to add values or override existing or default values for:
    • Machine operating system
    • Virtualization platform
    • Build settings
    • Integration with external systems
  • Custom properties can be marked as required or encrypted
  • Widows guest agent records property values on the provisioned machine in the %SystemDrive%\VRMGuestAgent\site\workitem.xml
  • Linux guest agent records property values on the provisioned machine in the /usr/share/guagent/site/workitem.xml file
  • Properties can be specified individually, in build profiles or in reservations
  • Custom property order of precedence:
    • Build profile
    • Blueprint
    • Business group
    • Compute resource
    • Reservations
    • Endpoint
    • Runtime
  • vApp order differs
    • Build profile, specified on a vApp component blueprint
    • vApp component blueprint
    • Build profile, specified on a vApp blueprint
    • vApp blueprint
    • Business group
    • Compute resource
    • Reservations
    • Endpoint
    • Runtime specified on a vApp
    • Runtime specified on a component machine
  • Custom properties and values are usually case sensitive
  • Four types of custom property exist
    • Internal
      • Maintained in the DB only & has no effect on the machine
    • Read-Only
      • Implemented on the machine and cannot be changed
    • External
      • Determined when the machine is being created
      • Values must be provided to the proxy agent or guest agent
      • Implemented on the machine but never updated
    • Updated
      • Implemented on the machine and updated through data collection

Object 4.2: Create and Manage Tenants

Configure branding for the vRealize Automation console

  • System Administrators can configure the default branding for tenants
  • Tenant Administrators can use the default or reconfigure branding
  • Configurable options include:
    • Site logo
    • Background colour
    • Information in the header and footer
  • To configure branding, ensure that you are logged in as a System Administrator or Tenant Administrator
    • Select Administration > Branding
    • Clear the use Default Box
    • Create a banner by uploading an image
    • Click Next
    • Add Copyright information in the copyright notice text box
    • Add a contact link in the contact link text box
    • Click update
  • Each time you make a change, a preview appears at the bottom of the form

Add and configure tenant specific inbound and outbound email notifications

  • Tenant Administrators can add outbound and inbound email servers
  • Each tenant can only have one outbound and inbound server
  • To configure outbound email notifications
    • Log in as a Tenant Administrator
    • Select Administration > Notifications > Email Servers
    • Click Add
    • Select Email – Outbound
    • Click OK
    • Enter a Name
    • Enter a Description
    • Enter the name of the email server
    • Choose the encryption method
      • SSL
      • TLS
      • None
    • Enter the server port
    • If authentication is required, select the require check box
      • Enter a username & password
    • Enter a sender address
    • Choose whether vRA can accept self-signed certificates
      • Only available if you enable encryption
    • Click Test Connection
    • Click Add
  • To configure outbound email notifications
    • Administration > Notifications > Email Servers
    • Add > Email – Inbound > OK
    • Configure the following options
      • Name
      • Description
      • Security (SSL)
      • Protocol
      • Server Name
      • Server Port
    • Enter a folder name for emails
      • Only required if you have selected IMAP server protocol
    • Enter a username & password
    • Enter a reply email address
    • Select delete from server to remove processed emails
    • Choose whether vRA can accept self-signed certificates
      • Only available if you enable encryption
    • Click Test Connection
    • Click Add

Override/revert to system default email servers

  • If the System Administrator has configured global email servers, the Tenant Administrator can choose to override them.
    • Log in as a Tenant Administrator
    • Select Administration > Notification > Email Servers
    • Select the Inbound / Outbound server
    • Click Override Global & configure as above
  • To revert to the default email servers the Tenant Administrator must select Revert to Global from the configuration of the respective outbound server

Identify and add identity stores in vRealize Automation

  • vRealize Automation supports the following Identity Store types
    • Active Directory
    • Native Active Directory (Only supported for the default tenant)
    • OpenLDAP
  • To add an Identity Store, log in as a Tenant Administrator
    • Select Administrator > Identity Stores
    • Click Add
    • Enter a Name
    • Select the Type of Identity Store
    • Complete the following configuration options
      • URL – ldap://x.x.x.x:389
      • Domain – company.local
      • Domain Alias – company
      • Login user DN – DN of a user that has permission to bind to the directory
      • Password – password for the above user
      • Group search base DN
      • User search base DN
    • Click Test Connection
    • Click Add

Create and assign user roles to an identity store group

  • Once you have added an identity store, you can assign roles to groups within it
  • Log in as a Tenant Administrator
    • Select Administration > User & Groups > Identity Store Users & Groups
    • Enter a group name in the search box
      • group@company.local
    • Click the name of the group to which you want to assign roles
    • Select one of the following roles from the Add Roles to this user list
      • Approval Administrator
      • Release Dashboard User
      • Release Engineer
      • Release Manager
      • Service Architect
      • Tenant Administrator
    • View more information about the group by clicking next – This is optional
    • Click Next
  • Users that are currently logged in to the vRA console must log out and back in before the new permissions take effect