ViPR 2.1 - Add a New Tenant to an Existing ViPR Virtual Data Center

Table of Contents

Introduction

This article describes how to add a new tenant to an existing virtual data center.

You should ensure that you are familiar with the main concepts associated with ViPR tenants provided in the following article:
Back to Top

Step-by-Step: Create and configure a new tenant

This topic outlines the steps required to create and configure a new tenant, which is a sub-tenant under the provider tenant.

Before you begin

  • You should plan how to you want to map users into tenants.
  • To create a new tenant you will need the Tenant Administrator role for the provider tenant.
  • To perform virtual array or virtual pool tenant assignment, you will need the System Administrator role.
  • To configure the tenant for use by ViPR Data Services you will need the System Administrator role.

Procedure

  1. Create a new tenant and map users into the tenant.
  2. Perform any virtual array and/or virtual pool assignment for the tenant.
    You will need the System Administrator role and the Tenant Administrator role to perform this assignment.
  3. Assign a Tenant Administrator for the tenant.
  4. If you have configured Data Services, perform the namespace configuration for the Data Services tenant.
  5. Prepare the tenant for end-users by assigning users to projects and customizing the service catalog.
Back to Top

Create a tenant at the ViPR UI

The ViPR UI enables you to create new tenants and map users into the tenant.

Before you begin

  • You must have the Tenant Administrator role for the provider tenant.
  • An authentication provider must have been registered with ViPR and must be for the domain from which you want to map users.
  • Your AD administrator must have set up AD groups and/or attribute mappings in accordance with your tenant plan.

Procedure

  1. At the ViPR UI, select Tenant Settings > Tenants.
  2. You can add a tenant by choosing Add, or to edit an existing tenant, click on the tenant name.
  3. Type a name and a description for the tenant.
  4. Optionally, specify a quota for the tenant. This is the total storage that users in the tenant can create.
  5. Select the domain to which the tenant users belong.
    Your configuration could have a separate domain for each tenant, or you can use the same domain to provide users for more than one tenant. To use the same domain, you must configure the user mappings to identify the specific set of users that will belong to the tenant and to ensure that a user is mapped into only a single tenant.
  6. To specify the way users will be mapped from the selected domain, select Add User Mapping Rule.
    A user mapping rule is added to the tenant. You can add more than one user mapping to achieve finer grained control over the selection of users for the tenant.
  7. Specify any groups that you want to use to map users into the tenant.
    The group or groups that you specify must exist in AD.
    A group associated with a domain can be used by more than one tenant, and the selection of users from the domain group can be based on attributes associated with the user.
  8. To use attributes to map users into the tenant, click the Add Attribute button and enter the name of the attribute and the value or values for the attribute.
    For users to be mapped into the domain, the attribute value set for the user must match the attribute value specified in ViPR. An example of setting user mappings at the Create Tenant page is shown below. In the example, users from the selected domain for whom the AD Department attribute has been set to "Accounts" are mapped into the tenant.

    Setting user mappings for a tenant using AD attributes

  9. Click Save.

After you finish

Any sub-tenant that you created requires a Tenant Administrator to perform day-to-day administration of the tenant: configuration of the service catalog, creation of projects, assignment of users to tenant roles. Sub-tenants can be managed by the Tenant Administrator of the provider tenant or a user that belongs to the tenant can be assigned as the Tenant Administrator.

Back to Top

Assign the Tenant Administrator role a for the provider tenant or a sub-tenant

The Tenant Administrator role is assigned to a member of the tenant and allows the user to configure the tenant service catalog and projects, assign users to tenant roles, and have elevated access to projects and resources. The Tenant Administrator role can be assigned by the Security Administrator for the VDC or by the Tenant Administrator for the tenant.

Before you begin

  • You must have the Security Administrator role or the Tenant Administrator role for the tenant to which you want to assign the Tenant Administrator role. When a Tenant Administrator for the provider tenant creates a sub-tenant, they are automatically assigned as a Tenant Administrator for the sub-tenant.
  • You will need the username or group to which you want to assign the Tenant Administrator role. The user or group must be a member of the tenant for which you want the user or group to be the administrator.

Procedure

  1. Select Tenant Settings > Tenants.
  2. For the tenant for which you want to perform the assignment, select the Role Assignments button, located in the Edit column of the Tenants table.
  3. At the Tenant drop-down, select the tenant for which you want to assign a Tenant Administrator.
  4. Select Add.
  5. Select whether the role is being assigned to a User or Group.
  6. Enter the name of the user or group.
  7. Select the Tenant Administrator role.
  8. Select Save.

Results

The user or group will appear in the Role Assignments table as tenant Administrator for the tenant to which he has been assigned. If an error occurs check that the user is a member of the tenant to which you are assigning the role.

Back to Top

Set up the VDC for a tenant

You can add access control to virtual arrays and virtual pools to make them available to specific tenants.

A virtual array comprises array endpoints and host endpoints interconnected by a SAN fabric or an IP network. The virtual array can comprise both fibre channel and IP networks. In this way different array ports can be configured into different virtual arrays, allowing a physical array to contribute to more than one virtual array.

This partitioning of physical arrays into virtual arrays, coupled with the ability to assign access to specific tenants, provides control over the storage provisioning environment made available to a tenant.

Even finer grained control can be obtained by assigning specific virtual pools to tenants. For storage provisioning purposes, the physical storage pools of a virtual array are offered as virtual pools based on their performance and protection characteristics. Restricting access to a virtual pool to specific tenants could mean that if a virtual pool is configured to use a particular array type, restricting access to the virtual pool can prevent a particular tenants from accessing the array. Similarly, you could restrict access to a pool that provides a particular performance characteristic, such as SSD.

Back to Top

Set up virtual arrays and virtual pools for a ViPR tenant

When setting up a tenant, a System Administrator can configure access to virtual arrays and virtual pools.

Before you begin

  • You must have the System Administrator role in ViPR.

Prior to assigning a virtual array or virtual pool to one or more tenants, access the virtual array and virtual pool is available to all tenants. When you assign a virtual array or virtual pool to one or more tenants it will go from being unrestricted to being available only to the selected tenants. Tenants that could see the virtual pool prior to the assignment will no longer be able to do so.

For this reason restricting access to a specific tenant actually means assigning access to all of the tenants that you do want to allow access.

Procedure

  1. Virtual array configuration. To select a virtual array and make it available to specific tenants:
    1. At the ViPR UI, select Virtual Assets > Virtual Arrays.
    2. Select the virtual array that you want to assign/restrict access to.
    3. Check the Grant Access to Tenants box and choose the tenants that you want the virtual pool to be available to.
      The Tenant Access panel on the Edit Virtual Array page is shown below.
    4. Save the virtual array.

    Applying virtual array tenant restriction

    Users belonging to the specified tenants will have access to the virtual array.
  2. Virtual pool configuration. To select a virtual pool and make it available to specific tenants:
    1. At the ViPR UI, select Virtual Assets > Block Virtual Pools or Virtual Assets > File Virtual Pools.
    2. Select the virtual pool that you want to assign/restrict access to.
    3. Expand the Access Control Panel and check the Grant Access to Tenants box. Choose the tenants that you want the virtual array to be available to.
      The Tenant Access panel on the Edit/Create File Virtual Pool page is shown below.
    4. Save the virtual pool.

    Applying virtual pool tenant restriction

    Users belonging to the specified tenants will have access to the virtual pool.
Back to Top

Set up the tenant for end-users

Once a tenant has been created and configured, there are a number of Tenant Administrator tasks that can be performed. The tasks can be performed by the Tenant Administrator for the tenant.

The following administration tasks can be performed in preparation for using the tenant for block and file provisioning operations or for using ViPR Data Services.
  • Projects can be created and tenant users given access to the project.
  • The service catalog can be configured by arranging services in categories. Tenant users can be assigned access to the allow categories or individual services.
  • Hosts, clusters, and vCenters for the tenant can be added.
  • Consistency groups can be created.
  • Execution windows can be created.
Back to Top