- Create a new tenant for a given design
Out of the box a default tenant named vsphere.local is created, which is accessed via the https://myvraserver.mydomain.local/vcac/ url. You log into the default tenant using the System Administrator role with the username administrator and the password set for the system administrator account during the installation of vRA.
Once inside the default tenant you will see the default tenant listed under the tenant section, any new tenants created will also be displayed here.
All new tenants are created inside the default tenant by the system administrator
To create a tenant select new and fill in the details required
click submit and next to proceed to creating a Local User or Users for the new tenant, these local users are specific to the new tenant, you don’t have to create local users at this stage to complete creating the tenant however you wont be able to log into the new tenant if you dont!
If you want to use directory users, you must create the local user(s), assign them/it as tenant and iaas admins, log into the new tenant with the new local user, setup the identity source, log back into the default tenant with the system administrator account, edit the new tenant, add the domain users or groups as the tenant and iaas admins!
Then you will be able to log into the new tenant as a tenant/iaas admin to start the configuration of the new tenant.
Assign the roles of Tenant Administrator and IaaS Administrators if required, you don’t have to assign these roles at this time to finish creating the new tenant, however you wont be able to log into the tenant if you dont assign these roles to a local user. Once you have configured an identify source we can come back into the default tenant and add directory users and\or remove the local user(s) from these groups.
It’s important to understand that privileges of the IaaS administrator role are NOT tenant specific. The IaaS administrator role is System Wide, so even though our new local user “danlab” is specific to the danlab tenant, this user has system wide IaaS privileges.
This is because the Infrastructure Fabric is available to all tenants. Depending on how you want your architecture configured you may want an IaaS administrator per tenant to configure endpoints, and have fabric groups per tenant as shown below
However I would say in the majority of vRA architectures it’s more common to see the below with System Administrator, IaaS Administrator and Fabric roles assigned to members of IT within the default tenant with Tenants then having access to that infrastructure via Fabric Groups
- Create, add, and manage local users
Creating local users for a tenant can be done inside the default tenant by the system administrator as described above.
- Configure administrative access and describe privilege level differences between roles
There are many Roles within vRA, each role having different privileges. 2 roles are system wide (System Administrator role and the IaaS Administrator role) and having the following provileges
The remaining roles are Tenant Specific
I would say learning the differences in these roles is very important for the exam, little more than hands on experience will help you with this. For that that are creating a vRA lab to study, you may want to assign yourself “god” permissions. The only way to do that is to create a custom group
Inside the new Tenant, select Administration>Custom Groups> Create a new custom group, give it a Name, Assign ALL Roles to the group, then on the members tab select your local user (or directory account if you’ve already added a directory service)
Once the account is created, log out of vRA and back in for the permission changes to take affect.
- Determine the unique URL used to access the tenant
The unique URL is set during the creation of the tenant. When creating my tenant i specified the URL danlab as can be seen below.
So my tenant will be access via
Note that this is different from the default tenant which is accessed via
Assume we created a third tenant named test1 with a URL of test1 and a forth tenant named test2 with a url of test2bob then access would be as follows
default tenant – https://myvraserver.mydomain.local/vcac/
danlab tenant – https://myvraserver.mydomain.local/vcac/org/danlab
test1 tenant – https://myvraserver.mydomain.local/vcac/org/test1
test2 tenant – https://myvraserver.mydomain.local/vcac/org/test2bob
3 thoughts on “VCP7-CMA Section 2 Objective 2.1 Create and Manage Tenants”
[…] Details of how to do that can be found in my Section 2 Object 2.1 blog […]
[…] Objective, and isn’t a requirement for a business group, I will come back and visit this in Objective 2.1 managing […]
[…] The roles available in vRealize Automation have been detailed in my blog post on Section 2 Objection 2.1 […]