VCP7-CMA Section 2 Objective 2.3 Create and Manage Business Groups

Configure business groups for a given design


To understand the requirement of a business group you need to understand a little about the vRA fabric. In vRA, infrastructure resources you can perform actions on are called Endpoints (see Objective 3.4) for instance a vCenter is an endpoint because we can provision VMs to it etc. (other endpoints could be AWS, Hyper-V or things like NSX as we can create vxlan portgroups or vRO as we can start workflows)

If you have Multiple vCenter endpoints you may want to group these together in a Fabric Group because the same administrator is likely responsible for all vCenters, a fabric administrator can then be assigned to this fabric group. As you may have a different administrator (or maybe developers) who are responsible for vRO, you may want to group these vRO endpoints in a different Fabric Group so you can assign a different fabric administrator

Once a fabric group is created that contains endpoints (defined as compute resources) a fabric administrator will grant access to these compute resources\endpoints by defining a reservation. The reservation will be specific to a business group and define the relationship between the business group and the compute resource\endpoint within the fabric group. This allows business groups to consume the compute resource\endpoint and allows the Fabric administrator to put a restriction on the amount of endpoint resource that can be consumed by that business group


Catalogue items are also scooped to a business group through entitlements.

The “My Goals”  Wizard lists tasks which are useful to complete before creating a  business group. These can be found under My Goals>Tenant Configuration




We have already created a Directory service that allows us to assign directory users to a business group (in the case of my lab Active Directory LDAP) in Objective 2.2 

We will detail the creation of Custom Groups in Objective 2.4

We will also configure Users & Groups in Objective 2.4

Configuring Branding is not specifically called out in any Objective, and isn’t a requirement for a business group, I will come back and visit this in Objective 2.1 managing tenants.

Adding and configuring a notification provider (specifying an email server) is also not covered in any objective within the exam blueprint but is covered below as business group managers will receive emails from the business group



Adding Notification Providers is done by the Tenant Admin role

To Configure Notification providers click on the link in My Goals>Tenant Configuration>Configure Notification Providers or browse to Administration > Notifications > Email Servers

You will need to set an in going and outgoing email server, my vRA appliance has access to the internet and since I dont have an exchange server i’m using my ISP settings to configure the provider!


Business Groups are created by the Tenant administrator under Administration > Users and Groups > Business Groups.



Custom Properties are covered in Objective 1.1 and can be assigned to a business group.

There’s a good blog here on Active Directory Policies, no need to re-write the wheel!
Add users and groups to appropriate support roles for a given design


A business group must have at least one business group manager, who monitors the resource use for the group and can be the approver for catalog requests.

Lets assume a development team has their own business group, a developer, who will be a business group user, has an entitlement to a catalogue item that allows them to provision a virtual machine to any of the endpoints that the business group (development team) has a reservation too.

The business group manager, who is likely to be the development team manager or team leader, can be set as  an approver of that catalog item request and the virtual machine wont be provisioned until the development team manager has approved the developers request.

It’s good to have this ability to approve requests as only the business group manager has access to monitor resource usage within their business group.

The business group manager will also create and manage entitlements to catalogue items for their business group.

The details of all vRA roles are found on my Objective 2.1 blog

Determine and select the appropriate machine prefix for the business group

Creating machine prefixes is described in Section 5 objective 5.2

Once a machine prefix has been created, you can set the default Business group machine prefix on the infrastructure tab of the Business group. When a virtual machine is provisioned by a user within the business group the default pre-fix will be used to form the VM name based on these settings. This does not stop a different pre-fix from being assigned within a catalogue blueprint & the default business group machine pre-fix can also be changed at any time.

If the pre-fix is changed, it will only affect new Virtual Machines being provisioned and will not change the name of virtual machines that have already been provisioned!


The active directory container option is for WIM provisioning only, if you don’t intend to use WIM Provisioning to build Windows Servers then stick with the Active Directory Policies on the general tab to define the destination OU of provisioned VMs, however for the exam it’s good to know the difference between the two options.

The AD Container option expects an active directory DN name in the form of



VCP7-CMA Section 2 Objective 2.1 Create and Manage Tenants

  • Create a new tenant for a given design

VMware Docs link

Out of the box a default tenant named vsphere.local is created, which is accessed via the https://myvraserver.mydomain.local/vcac/ url. You log into the default tenant using the System Administrator role with the username administrator and the password set for the system administrator account during the installation of vRA.


Once inside the default tenant you will see the default tenant listed under the tenant section, any  new tenants created will also be displayed here.


All new tenants are created inside the default tenant by the system administrator


To create a tenant select new and fill in the details required


click submit and next to proceed to creating a Local User or Users for the new tenant, these local users are specific to the new tenant, you don’t have to create local users at this stage to complete creating the tenant however you wont be able to log into the new tenant if you dont!

If you want to use directory users, you must create the local user(s), assign them/it as tenant and iaas admins, log into the new tenant with the new local user, setup the identity source, log back into the default tenant with the system administrator account, edit the new tenant, add the domain users or groups as the tenant and iaas admins!

Then you will be able to log into the new tenant as a tenant/iaas admin to start the configuration of the new tenant.


Assign the roles of Tenant Administrator and IaaS Administrators if required, you don’t have to assign these roles at this time to finish creating the new tenant, however you wont be able to log into the tenant if you dont assign these roles to a local user. Once you have configured an identify source we can come back into the default tenant and add directory users and\or remove the local user(s) from these groups.


It’s important to understand that privileges of the IaaS administrator role are NOT tenant specific. The IaaS administrator role is System Wide, so even though our new local user “danlab” is specific to the danlab tenant, this user has system wide IaaS privileges.

This is because the Infrastructure Fabric is available to all tenants. Depending on how you want your architecture configured you may want an IaaS administrator per tenant to configure endpoints, and have fabric groups per tenant as shown below


However I would say in the majority of vRA architectures it’s more common to see the below with System Administrator, IaaS Administrator and Fabric roles assigned to members of IT within the default tenant with Tenants then having access to that infrastructure via Fabric Groups

single iaas

  • Create, add, and manage local users

Creating local users for a tenant can be done inside the default tenant by the system administrator as described above.

  • Configure administrative access and describe privilege level differences between roles

There are many Roles within vRA, each role having different privileges. 2 roles are system wide  (System Administrator role and the IaaS Administrator role) and having the following provileges

system wide

The remaining roles are Tenant Specific




tenant 4

I would say learning the differences in these roles is very important for the exam, little more than hands on experience will help you with this. For that that are creating a vRA lab to study, you may want to assign yourself “god” permissions. The only way to do that is to create a custom group

Inside the new Tenant, select Administration>Custom Groups> Create a new custom group, give it a Name, Assign ALL Roles to the group, then on the members tab select your local user (or directory account if you’ve already added a directory service)

Once the account is created, log out of vRA and back in for the permission changes to take affect.


  • Determine the unique URL used to access the tenant

The unique URL is set during the creation of the tenant. When creating my tenant i specified the URL danlab as can be seen below.


So my tenant will be access via


Note that this is different from the default tenant which is accessed via


Assume we created a third tenant named test1 with a URL of test1 and a forth tenant named test2 with a url of test2bob then access would be as follows

default tenant – https://myvraserver.mydomain.local/vcac/

danlab tenant – https://myvraserver.mydomain.local/vcac/org/danlab

test1 tenant – https://myvraserver.mydomain.local/vcac/org/test1

test2 tenant – https://myvraserver.mydomain.local/vcac/org/test2bob