Using Commander in Multi-Tenant Environments
Multi-tenancy is the principal technology that clouds use to share IT resources cost effectively and securely. An apartment building is a useful analogy. Many tenants in an apartment building share the common infrastructure of the building, but walls and doors give them privacy from other tenants. Likewise, a cloud uses multi-tenancy technology to share IT resources securely among multiple applications and tenants (such as businesses and organizations) that use the cloud.
Multi-tenancy often divides users into two groups: producers and consumers. Producers are those who provide service to consumers — typically an IT organization within an enterprise, or an IT service provider. Producers configure a multi-tenant cloud model using the Commander console. Consumers manage their IT assets and request additional cloud services using the Service Portal.
Commander allows you to configure fine-grained access control for both producers and consumers. The Superuser and Administrator roles allow producers to configure multi-tenancy in the Commander console, while various Service Portal roles ensure that consumers can see and do only what you allow.
An organization is just a group of consumers with a common business purpose. Organizations allow you to:
- segregate data for your consumer groups
- delegate administrative tasks to consumers
- set up distinct cloud automation configurations for your consumer groups
Organizations allow you to set up completely distinct configurations for your consumer groups. In the multi-tenant Commander model, the entire service request process is unique to each organization.
You assign service ownership at the organization level (ownership can be assigned automatically during provisioning). You can also configure the following capabilities per organization:
- Resource-based and cost-based quotas
- Service catalog entries
- Service request forms
- Service request approval workflows
- Deployment destinations
- Service ownership
- Command workflows
- Usage-based service cost allocation
- Media library
- Maintenance window
You can optionally delegate administrative tasks to one or more organization managers, allowing you to lighten the load on the Commander administrator.
Typically the person responsible for a business unit, the organization manager has extended permissions for managing an organization's members and assets. You can tailor these permissions to the technical abilities of your organization managers.
The tasks that can be delegated through permissions include:
- adding and removing members
- modifying members' roles
- assigning the primary contact for an organization
- managing the media library
- assigning quotas to members
- approving members' service requests
- monitoring quota usage
For new installations of Commander, start here:
- The first step is to create organizations.
Note: If you've upgraded from a previous release of Commander, there are some special considerations. See Moving Existing Users into Organizations.
Now you're ready to configure the other aspects of the Commander multi-tenant model. The order of these steps isn't important.
- Set resource-based or cost-based quotas for each organization.
- Assign Service Catalog entries so that organization members see only those entries when making a service request.
- Assign Service Request forms to control the form that organization members use when making a service request.
- Configure a maintenance window for the fulfillment of disruptive change requests.
- Configure a quota-based service request approval process so that you can automatically approve or reject service requests based on an organization's available quota.
- Assign deployment destinations so that VMs requested by organization members are automatically deployed to a destination that makes sense for the organization.
- Assign ownership of existing VMs to organizations so that organization members can view and manage their VMs, and organization managers can view and manage VMs belonging to the organization.
- Configure the default ownership policy to ensure that ownership of new services is automatically assigned to the appropriate organization. Note that when organization members request a service, the deployed service is automatically assigned to the organization, so this step is required only if services are created outside the service request process.
- Allocate costs for services owned by one organization or individual, but used by one or more other organizations. You can adjust the percentage as required, based on usage changes.
- Create a media library so that Service Portal users with permissions can upload media files to an organization-specific media folder.
- Optionally, group organizations under parent organizations.
See Walk-Through: Configuring Organizations for an end-to-end example.