Friday, 17 March 2017

VCP7-CMA Section 2 - Blueprint Dissection

Objective 2.1: Create and Manage Tenants
Knowledge
·      Create a new tenant for a given design

Log onto default tenant (https://vraapp/vcac/org/vsphere.local) an login with administrator@vsphere.local account that you created during the vRA deployment.

New +




·      Create, add, and manage local users
From the same interface, you can select an existing tenant and choose to create new local users for them; very useful to ensure a back-door (get-out-of-jail-free) user access and required for configuration of the tenant initially…  You should use an AD account for day-to-day operations.  See above – done as part of the new tenant creation
·      Configure administrative access and describe privilege level differences between roles
A tenant administrator configures:
o   Branding
o   User and group roles
o   Actions
o   Tenant machines & reclamations
o   vRO
o   Blueprints
o   Messageboard
·      An IaaS administrator configures:
o   Endpoints
o   Fabric Groups
o   AWS Instance types
o   Proxy Agents
o   IaaS licensing
o   Logging
After the tenant is configured (i.e., your tenant admin and IaaS admins have done their work), you have the following roles:
·      Service Architect
o   Create XaaS
o   Create custom actions
o   Define custom resource types
·      XaaS Architect
o   Blueprints (limited access)
o   Create and publish XaaS services
o   Create, update and publish services, catalog items and actions
·      Infrastructure architect
o   Blueprint design (create, access GUI, publish, view, etc)
o   Use reservation Policies
o   Manage VM templates
·      Software Architect
o   Blueprint design (create, access GUI, publish, view, etc)
·      Approval Administrator
o   Access my tenant administration GUI
o   Edit approval policy
·      Container Administrator (new with 7.2)
o   Manage Container hosts
o   Manage Container placements
·      Application Architect
o   Blueprint design (create, access GUI, publish, view, etc)
·      Catalog Administrator
o   Create, update and publish services, catalog items and actions
·      Support User
o   Not a role – but can perform functions on behalf of other users (i.e., machine provision and management).
·      Determine the unique URL used to access the tenant
https://vraapp/vcac/org/tenantURL (so in the above example, /vcac/org/engineering)
But who can see what?
·      Design tab = role has ‘Architect’ in the title
·      Administration = Everyone except users & architects (excluding the Infrastructure architect)
·      Infrastructure = IaaS Administrator and Tenant Administrator (the two that are created at the start
Objective 2.2: Create and Manage Directories
Knowledge
·      Create and manage LDAP directory for Active Directory in vRealize Automation
Administration > Directories Management > +

Can only use a single ‘Integrated Windows Authentication’, the rest of the time it must be AD over LDAP.  Sync Connector = the vIDM… usually your vRA appliance unless you’ve distributed it.
Bind DN = the user acct used for AD syncing.
Password changing = new in vRA 7.2.
·      Create and manage Windows Integrated Authentication Directory in vRealize Automation
Can only be used on one tenant; usually the default.
·      Determine and configure appropriate user and directory binding details
Click on ‘Sync Settings’,


This will allow you to choose the users and groups that you include in the synchronisation
·      Evaluate directory synchronization health and troubleshoot issues
Click on Sync Log which will show you the most recent sync (which you can check the schedule from the ‘Sync Settings’ first tab ‘Sync Frequency’:
The number below Alerts is a hyperlink
Objective 2.3: Create and Manage Business Groups
Knowledge
·      Configure business groups for a given design
Administration > Users & Groups > Business Groups > +…  It’s difficult to say how to configure something ‘given a design’ without being given a design… 
Add users as required:

Business Group Managers = create services, entitlements and approvals
Support role = manage catalog items on behalf of other users
User role = Consumer of the service
Then on the infrastructure tab, choose the default machine prefix:
This is predefined from Infrastructure > Administration > Machine Prefixes
·      Add users and groups to appropriate support roles for a given design
See the point above – a BG can be modified to change the Business Group Managers, support roles or users roles after being deployed
·      Determine and select the appropriate the machine prefix for the business group
As mentioned above – and again can be changed after creation of a BG
Objective 2.4: Manage User and Group Role Assignments
Knowledge
·      Explain the roles available to vRealize Automation and vRealize Business
Roles available to vRA listed in Section 2.1
vRB roles:
o   Business Management Administrator = view and update cost info
o   Business Management Read only = view details but not update cost info
o   Business Management Controller = view assigned tenant details but not perform other admin
o   Tenant admin having Business Management Administrator role = all tasks; managing connections (+ public cloud), updating reference DB, etc.
·      Assign roles to individual users for a given design
Depending on the design… For IaaS Administrators and Tenant Administrators, use https://vraapp/vcac/org/vsphere.local and add to the tenant config.
For others, use custom groups and assign roles using that mechanism (see point two below)
·      Assign roles to directory groups for a given design
Depending on the design… For IaaS Administrators and Tenant Administrators, use https://vraapp/vcac/org/vsphere.local and add to the tenant config.
For others, use custom groups and assign roles using that mechanism (see point below)
·      Create vRealize Automation custom groups and assign roles
Administration > Users & Groups > Custom Groups > +
Don’t create a single group with every role in it at this stage – it’ll be a headache to re-engineer it later on.  Create separate groups & add users in now (more work upfront but straight forward later on).

Under ‘members’, you can add both groups and users (but add groups to avoid having to come here too often).

One last thing I found useful - Sam McGeown has created a mindmap of vRA roles
http://www.definit.co.uk/2015/11/mindmap-vrealize-automation-roles/

No comments:

Post a comment