VCP7-CMA Section 2 Objective 2.1 Create and Manage Tenants

  • Create a new tenant for a given design

VMware Docs link

Out of the box a default tenant named vsphere.local is created, which is accessed via the https://myvraserver.mydomain.local/vcac/ url. You log into the default tenant using the System Administrator role with the username administrator and the password set for the system administrator account during the installation of vRA.

 

Once inside the default tenant you will see the default tenant listed under the tenant section, any  new tenants created will also be displayed here.

dften

All new tenants are created inside the default tenant by the system administrator

 

To create a tenant select new and fill in the details required

danlabtent

click submit and next to proceed to creating a Local User or Users for the new tenant, these local users are specific to the new tenant, you don’t have to create local users at this stage to complete creating the tenant however you wont be able to log into the new tenant if you dont!

If you want to use directory users, you must create the local user(s), assign them/it as tenant and iaas admins, log into the new tenant with the new local user, setup the identity source, log back into the default tenant with the system administrator account, edit the new tenant, add the domain users or groups as the tenant and iaas admins!

Then you will be able to log into the new tenant as a tenant/iaas admin to start the configuration of the new tenant.

user

Assign the roles of Tenant Administrator and IaaS Administrators if required, you don’t have to assign these roles at this time to finish creating the new tenant, however you wont be able to log into the tenant if you dont assign these roles to a local user. Once you have configured an identify source we can come back into the default tenant and add directory users and\or remove the local user(s) from these groups.

roles

It’s important to understand that privileges of the IaaS administrator role are NOT tenant specific. The IaaS administrator role is System Wide, so even though our new local user “danlab” is specific to the danlab tenant, this user has system wide IaaS privileges.

This is because the Infrastructure Fabric is available to all tenants. Depending on how you want your architecture configured you may want an IaaS administrator per tenant to configure endpoints, and have fabric groups per tenant as shown below

multiiaas

However I would say in the majority of vRA architectures it’s more common to see the below with System Administrator, IaaS Administrator and Fabric roles assigned to members of IT within the default tenant with Tenants then having access to that infrastructure via Fabric Groups

single iaas

  • Create, add, and manage local users

Creating local users for a tenant can be done inside the default tenant by the system administrator as described above.

  • Configure administrative access and describe privilege level differences between roles

There are many Roles within vRA, each role having different privileges. 2 roles are system wide  (System Administrator role and the IaaS Administrator role) and having the following provileges

system wide

The remaining roles are Tenant Specific

tenant1

tenant2

tenant3

tenant 4

I would say learning the differences in these roles is very important for the exam, little more than hands on experience will help you with this. For that that are creating a vRA lab to study, you may want to assign yourself “god” permissions. The only way to do that is to create a custom group

Inside the new Tenant, select Administration>Custom Groups> Create a new custom group, give it a Name, Assign ALL Roles to the group, then on the members tab select your local user (or directory account if you’ve already added a directory service)

Once the account is created, log out of vRA and back in for the permission changes to take affect.

godrole

  • Determine the unique URL used to access the tenant

The unique URL is set during the creation of the tenant. When creating my tenant i specified the URL danlab as can be seen below.

danlabtent

So my tenant will be access via

https://myvraserver.mydomain.local/vcac/org/danlab

Note that this is different from the default tenant which is accessed via

https://myvraserver.mydomain.local/vcac/

Assume we created a third tenant named test1 with a URL of test1 and a forth tenant named test2 with a url of test2bob then access would be as follows

default tenant – https://myvraserver.mydomain.local/vcac/

danlab tenant – https://myvraserver.mydomain.local/vcac/org/danlab

test1 tenant – https://myvraserver.mydomain.local/vcac/org/test1

test2 tenant – https://myvraserver.mydomain.local/vcac/org/test2bob

Tools

3 thoughts on “VCP7-CMA Section 2 Objective 2.1 Create and Manage Tenants

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s