Creating Organizations for Embotics® vCommander® Multi-tenancy

Organizations form the basis of the vCommander multi-tenant model. An organization is a group of consumers with a common business purpose. Organizations allow you to:

ensure that consumer groups can access only the resources assigned to them

set up distinct cloud automation configurations for your consumer groups

delegate administrative tasks to consumers, allowing you to lighten the load on the vCommander administrator

This article shows you how to create organizations, add users and groups to organizations, and assign roles to organization members.

If you've upgraded from a previous release and want to move existing users into organizations, see also Moving Existing Users into an Organization.

How organizations work

Because each organization can have distinct service ownership and configuration, organization membership affects what each user sees and what they can do in the Service Portal.

When you add a user to an organization, you assign an organizational role. This role enables users to log in to the Service Portal as a member of an organization.

Typically when using organizations, you create an organization for each group of consumers that requires data segregation and distinct configuration. Each user becomes a member of a single organization. However, if you require it, a user can be a member of multiple organizations and can have different roles in each organization. For example, a user may need have a Delegated Admin role in one organization, but a Customer role in another organization. If a user requires visibility of VMs and other services across multiple organizations at the same time (for example, an IT admin), you can assign them an individual role, outside of an organization. When you add a user from the Users tab, you assign the user an individual role.

Service Portal users can see what role they're currently using, and what organization they're logged into, in the Service Portal banner. To switch to another role and/or to another organization, they use the Views menu.

Once logged in as an organization member, the user has access to assets (Service Catalog entries, request forms, deployment destinations and workflows) visible to that organization only.

For a service to be visible to an organization member, the service must be visible to the organization, and the user must be an owner of the service (primary, IT contact, or other). For more details on ownership, see Assigning Ownership to Services.

Note that because organizations provide data segregation, only organization members can access organization assets (service catalog entries, request forms, workflows, deployment destinations and quota usage information).

See Walk-through: Configuring Organizations for an end-to-end example.

Quota considerations

To set quotas, you must configure organizations. In new installations of vCommander, a Default organization exists, with two members: manager and user. If you want to set quotas, but don't want to configure multiple organizations, you can simply add all of your users to this Default organization.

You can set quota at the organization level and, optionally, for individual members. It's not possible to set member quota for a Directory Services group. To set member quota, you must add each Directory Services group user as an organization member. However, if you prefer not to add members individually, you can still set a quota for the entire organization.

An important note about adding Service Portal users

There are two ways to add Service Portal users: from the Configure Organization wizard and from the Configuration > Users and Roles page. In most cases, you should add users from the Configure Organization wizard. This ensures that the user has only an organizational role.

There are two cases in which you should add Service Portal users from the Users and Roles page:

A user who requires visibility of services across organizations (such as Scott, our IT Admin) needs to have an individual role, and does not need an organizational role.

A user who requires visibility of services across organizations and will manage VMs as a member of an organization needs to have both an individual role and an organizational role.  In this case, you first add the user on the Users and Roles page, then add them to the organization (not the other way around). In this case, you first add the user to an organization, and then edit them on the Users and Roles page to provide an individual role. The user can then log into the Service Portal as a member of an organization, and can then switch between roles.

Creating an organization and adding members

Access through:

Configuration menu > Organizations and Quotas > Organizations Tab

Available to:

vCommander Role of Superuser, Enterprise Admin

Before you create organizations, you may want to customize Service Portal roles.

If you have upgraded from a previous release, there are special considerations. See Moving Existing Users into an Organization instead.

To create an organization and add members:

1.On the Organizations tab, click Add.

2.On the Name and Members page, provide a name (maximum 64 characters), for example, Development.

3.To add users by entering a login name or email address:

Click Add User.

Enter a login name or email address and click Add.

NotePencil-smallYou can also add existing users from this dialog.

4.To add users from a list of users and groups that have already been added to vCommander:

Click Add Existing User.

Select one or more users and groups.

5.In the Add User or Add Existing User dialog, assign the user a role by selecting from the Portal Role drop-down menu.

6.If desired, enable Primary contact of this organization. Enabling this option means that you can configure workflows to automatically send emails to this member. The most common reason for emailing the organization manager is for service request approval. It can be useful to assign multiple managers for each organization, so that multiple individuals automatically receive approval emails.

7.Click Add.

8.To set quotas for the organization, click Next and see Setting Quotas for Embotics® vCommander® Multi-tenancy.

9.Otherwise, click Finish.

Next steps

You're ready to create a customized cloud automation configuration for the organization. See Getting started with vCommander multi-tenancy.

Modifying an organization member's role and assigning a primary contact

Access through:

Configuration menu > Organizations and Quotas > Organizations Tab

Available to:

vCommander Role of Superuser, Enterprise Admin

A user can be a member of multiple organizations, and they can have a distinct role in each organization.

To modify the role for an organization member:

1.On the Organizations tab, select the organization and click Edit.

2.Select the user or group in the User/Group list and click Modify Role.

3.In the Portal Role drop-down menu, select the appropriate role and click OK.

4.If desired, enable Primary contact of this organization. Enabling this option means that you can configure workflows to automatically send emails to this member. The most common reason for emailing the organization manager is for service request approval. It can be useful to assign multiple primary contacts for each organization, so that multiple individuals automatically receive approval emails.

Users must log out and log back into the Service Portal for these changes to take effect.

Removing a member from an organization

Access through:

Configuration menu > Organizations and Quotas > Organizations Tab

Available to:

vCommander Role of Superuser, Enterprise Admin

1.On the Organizations tab, select an organization and click Edit.

2.On the Name and Members page, select one or more members and click Delete User.

Caution: If this user does not have another role, the user will be completely deleted from the system. (It's also possible to delete your own account.) To prevent this, before deleting the member, assign the member an individual role from Configuration > Users and Roles, or add the member to another organization.

If the user is a member of another organization or has an individual role outside of an organization, the user will be removed from this organization, but will not be deleted from the system.

3.If the user owns VMs, you are prompted to decide whether to reassign ownership. If you don't reassign ownership, only organization members with the Show All Organization Services permission will be able to see these VMs. You can:

leave the deleted user as owner

remove the deleted user as owner

replace the deleted user with another owner by entering a user or group login or email address. If no matching user or group is found, an error is displayed.

Moving a member to a new organization

If you need to move a user from one organization to another:

1.Add the user to the new organization. This ensures that the user is not deleted from the system when you remove the user from the original organization.

2.Remove the user from the old organization.

Deleting an organization

Access through:

Configuration menu > Organizations and Quotas > Organizations Tab

Available to:

vCommander Role of Superuser, Enterprise Admin

Before you can delete an organization, you need to remove its asset assignments. For example, if you had assigned an approval workflow to an organization, you need to edit the approval workflow to remove the organization assignment before you can delete the organization.

When you try to delete an organization that has assigned assets, vCommander will display a message informing you of the assets assigned to the organization.

To delete an organization, on the Organizations tab, select the organization and click Delete.

Caution: Deleting an organization also completely deletes any of its members who do not have another role. To prevent this, do one of the following before deleting the organization:

Assign these members an individual role from Configuration > Users and Roles

Add these members to another organization