Using Commander in Multi-Tenant Environments
Multi-tenancy is the principal technology that clouds use to share IT resources cost effectively and securely. An apartment building is a useful analogy. Many tenants in an apartment building share the common infrastructure of the building, but walls and doors give them privacy from other tenants. Likewise, a cloud uses multi-tenancy technology to share IT resources securely among multiple applications and tenants (such as businesses and organizations) that use the cloud.
Multi-tenancy often divides users into two groups: producers and consumers. Producers are those who provide service to consumers — typically an IT organization within an enterprise, or an IT service provider. Producers configure a multi-tenant cloud model using the Commander Admin Portal. Consumers manage their IT assets and request additional cloud services using the Service Portal.
Commander allows you to configure fine-grained access control for both producers and consumers. The Superuser and Administrator roles allow producers to configure multi-tenancy in the Commander console, while various Service Portal roles ensure that consumers can see and do only what you allow.
Organizations: The basis of the Commander multi-tenant model
An organization is a group of consumers with a common business purpose. Organizations allow you to:
- Segregate data for your consumer groups.
- Delegate administrative tasks to consumers.
- Set up distinct cloud automation configurations for your consumer groups.
Distinct configuration through organizations
Organizations allow you to set up completely distinct configurations for your consumer groups. In the multi-tenant Commander model, the entire service request process is unique to each organization.
You assign service ownership at the organization level (ownership can be assigned automatically during provisioning). You can also configure the following capabilities per organization:
- Resource-based and cost-based quotas
- Service catalog entries
- Service request forms
- Service request approval workflows
- Deployment destinations
- Service ownership
- Command workflows
- Usage-based service cost allocation
- Media library
- Maintenance window
- Custom external web page for landing page
- Custom external web pages
- Custom external information for VMs
Delegated administration through organizations
You can optionally delegate administrative tasks to one or more organization managers, allowing you to lighten the load on the Commander administrator.
Typically the person responsible for a business unit, the organization manager has extended permissions for managing an organization's members and assets. You can tailor these permissions to the technical abilities of your organization managers.
The tasks that can be delegated through permissions include:
- adding and removing members
- modifying members' roles
- assigning the primary contact for an organization
- managing the media library
- assigning quotas to members
- approving members' service requests
- monitoring quota usage
Get started with Commander multi-tenancy
For new installations of Commander, start here:
- The first step is to create organizations. For more information, see Create Organizations.
Now you're ready to configure the other aspects of the Commander multi-tenant model. The order of these steps isn't important.
- Set resource-based or cost-based quotas for each organization. For more information, see Set Organization Quotas.
- Configure custom attributes for each organization. For more information, see Work with Custom Attributes.
- Assign Service Catalog entries so that organization members see only those entries when making a service request. For more information, see Catalog.
- Assign Service Request forms to control the form that organization members use when making a service request. For more information, see New Service Request Configuration.
- Configure a maintenance window for the fulfillment of disruptive change requests. For more information, see Configure Maintenance Windows.
- Configure a quota-based service request approval process so that you can automatically approve or reject service requests based on an organization's available quota. For more information, see Configure a Quota-Based Service Request Approval Process.
- Assign deployment destinations so that VMs requested by organization members are automatically deployed to a destination that makes sense for the organization. For more information, see Configure Automated Deployment for Approved Service Requests.
- Assign ownership of existing VMs to organizations so that organization members can view and manage their VMs, and organization managers can view and manage VMs belonging to the organization. For more information, see Resource and Service Ownership.
- Configure the default ownership policy to ensure that ownership of new services is automatically assigned to the appropriate organization. Note that when organization members request a service, the deployed service is automatically assigned to the organization, so this step is required only if services are created outside the service request process. For more information, see Set Resource Ownership with Policies.
- Create a media library so that Service Portal users with permissions can upload media files to an organization-specific media folder. See Create a Media Library.
- Optionally, group organizations under parent organizations. See Using Parent Organizations.
See Walk-Through: Configuring Organizations for an end-to-end example.