Objective 2.1: Create and Manage Tenants
Knowledge
·
Create a new tenant for a given design
Log onto default tenant
(https://vraapp/vcac/org/vsphere.local) an login with administrator@vsphere.local account that you created during the vRA deployment.
New +
·
Create, add, and manage local users
From the same
interface, you can select an existing tenant and choose to create new local
users for them; very useful to ensure a back-door (get-out-of-jail-free) user
access and required for configuration of the tenant initially… You should use an AD account for day-to-day
operations. See above – done as part of
the new tenant creation
·
Configure administrative access and describe
privilege level differences between roles
A tenant
administrator configures:
o
Branding
o
User and group roles
o
Actions
o
Tenant machines &
reclamations
o
vRO
o
Blueprints
o
Messageboard
·
An IaaS administrator
configures:
o
Endpoints
o
Fabric Groups
o
AWS Instance types
o
Proxy Agents
o
IaaS licensing
o
Logging
After the
tenant is configured (i.e., your tenant admin and IaaS admins have done their
work), you have the following roles:
·
Service Architect
o
Create XaaS
o
Create custom actions
o
Define custom resource
types
·
XaaS Architect
o
Blueprints (limited
access)
o
Create and publish XaaS
services
o
Create, update and
publish services, catalog items and actions
·
Infrastructure architect
o
Blueprint design
(create, access GUI, publish, view, etc)
o
Use reservation Policies
o
Manage VM templates
·
Software Architect
o
Blueprint design
(create, access GUI, publish, view, etc)
·
Approval Administrator
o
Access my tenant
administration GUI
o
Edit approval policy
·
Container Administrator
(new with 7.2)
o
Manage Container hosts
o
Manage Container
placements
·
Application Architect
o
Blueprint design
(create, access GUI, publish, view, etc)
·
Catalog Administrator
o
Create, update and
publish services, catalog items and actions
·
Support User
o
Not a role – but can
perform functions on behalf of other users (i.e., machine provision and
management).
·
Determine the unique URL used to access the
tenant
https://vraapp/vcac/org/tenantURL (so in the above example, /vcac/org/engineering)
But who can see what?
·
Design tab = role has
‘Architect’ in the title
·
Administration = Everyone
except users & architects (excluding the Infrastructure architect)
·
Infrastructure = IaaS
Administrator and Tenant Administrator (the two that are created at the start
Objective 2.2: Create and Manage Directories
Knowledge
·
Create and manage LDAP directory for Active
Directory in vRealize Automation
Administration
> Directories Management > +
Can only use a
single ‘Integrated Windows Authentication’, the rest of the time it must be AD
over LDAP. Sync Connector = the vIDM…
usually your vRA appliance unless you’ve distributed it.
Bind DN = the user
acct used for AD syncing.
Password changing =
new in vRA 7.2.
·
Create and manage Windows Integrated
Authentication Directory in vRealize Automation
Can only be used on one
tenant; usually the default.
·
Determine and configure appropriate user and
directory binding details
Click on ‘Sync
Settings’,
This will allow you
to choose the users and groups that you include in the synchronisation
·
Evaluate directory synchronization health and
troubleshoot issues
Click on Sync Log
which will show you the most recent sync (which you can check the schedule from
the ‘Sync Settings’ first tab ‘Sync Frequency’:
The number below Alerts is a
hyperlink
Objective 2.3: Create and Manage Business Groups
Knowledge
·
Configure business groups for a given design
Administration >
Users & Groups > Business Groups > +…
It’s difficult to say how to configure something ‘given a design’
without being given a design…
Add users as required:
Business Group
Managers = create services, entitlements and approvals
Support role =
manage catalog items on behalf of other users
User role =
Consumer of the service
Then on the
infrastructure tab, choose the default machine prefix:
This is predefined
from Infrastructure > Administration > Machine Prefixes
·
Add users and groups to appropriate support
roles for a given design
See the point above
– a BG can be modified to change the Business Group Managers, support roles or
users roles after being deployed
·
Determine and select the appropriate the machine
prefix for the business group
As mentioned above –
and again can be changed after creation of a BG
Objective 2.4: Manage User and Group Role Assignments
Knowledge
·
Explain the roles available to vRealize
Automation and vRealize Business
Roles available to
vRA listed in Section 2.1
vRB roles:
o
Business Management
Administrator = view and update cost info
o
Business Management Read
only = view details but not update cost info
o
Business Management
Controller = view assigned tenant details but not perform other admin
o
Tenant admin having
Business Management Administrator role = all tasks; managing connections (+
public cloud), updating reference DB, etc.
·
Assign roles to individual users for a given design
Depending on the
design… For IaaS Administrators and Tenant Administrators, use https://vraapp/vcac/org/vsphere.local and add to the tenant config.
For others, use
custom groups and assign roles using that mechanism (see point two below)
·
Assign roles to directory groups for a given
design
Depending on the
design… For IaaS Administrators and Tenant Administrators, use https://vraapp/vcac/org/vsphere.local and add to the tenant config.
For others, use
custom groups and assign roles using that mechanism (see point below)
·
Create vRealize Automation custom groups and
assign roles
Administration >
Users & Groups > Custom Groups > +
Don’t create a single
group with every role in it at this stage – it’ll be a headache to re-engineer
it later on. Create separate groups
& add users in now (more work upfront but straight forward later on).
Under ‘members’, you
can add both groups and users (but add groups to avoid having to come here too
often).
One last thing I found useful - Sam McGeown has created a mindmap of vRA roles
http://www.definit.co.uk/2015/11/mindmap-vrealize-automation-roles/
No comments:
Post a Comment