Creating Organizations for Multi-Tenancy

Organizations form the basis of the vCommander multi-tenant model. An organization is a group of consumers with a common business purpose. Organizations allow you to:

  • ensure that consumer groups can access only the resources assigned to them
  • set up distinct cloud automation configurations for your consumer groups
  • delegate administrative tasks to consumers, allowing you to lighten the load on the vCommander administrator

This topic shows you how to create organizations, add users and groups to organizations, and assign roles to organization members. If you've upgraded from a previous release and want to move existing users into organizations, see Moving Existing Users into an Organization.

How organizations work

Because each organization can have distinct service ownership and configuration, organization membership affects what each user sees and what they can do in the Service Portal.

When you add a user to an organization, you assign an organizational role. This role enables users to log in to the Service Portal as a member of an organization.

Typically when using organizations, you create an organization for each group of consumers that requires data segregation and distinct configuration. Each user becomes a member of a single organization. However, if you require it, a user can be a member of multiple organizations and can have different roles in each organization. For example, a user may need to have a Delegated Admin role in one organization but a Customer role in another organization. If a user requires visibility of VMs and other services across multiple organizations at the same time (for example, an IT admin), you can assign them an individual role, outside of an organization. When you add a user from the Users tab, you assign the user an individual role.

Service Portal users can see what role they're currently using, and what organization they're logged into, in the Service Portal banner. To switch to another role and/or to another organization, they use the Views menu.

Once logged in as an organization member, the user has access to assets (Service Catalog entries, request forms, deployment destinations and workflows) visible to that organization only.

For a service to be visible to an organization member, the service must be visible to the organization, and the user must be an owner of the service (primary, IT contact, or other). For more details on ownership, see Assigning Ownership to Services.

Note that because organizations provide data segregation, only organization members can access organization assets (service catalog entries, request forms, workflows, deployment destinations and quota usage information).

See Walk-through: Configuring Organizations for an end-to-end example.

Quota considerations

To set quotas, you must configure organizations. In new installations of vCommander, a Default organization exists, with two members: manager and user. If you want to set quotas, but don't want to configure multiple organizations, you can simply add all of your users to this Default organization.

You can set quota at the organization level and, optionally, for individual members. It's not possible to set member quota for a Directory Services group. To set member quota, you must add each Directory Services group user as an organization member. However, if you prefer not to add members individually, you can still set a quota for the entire organization.

Ways to add Service Portal users

There are two ways to add Service Portal users:

  • from the Configure Organization wizard (accessed through Configuration > Organizations and Quotas > Organizations Tab)
  • from the Users and Roles page (accessed through Configuration > Users and Roles)

In most cases, you should add users from the Configure Organization wizard. This ensures that the user has only an organizational role.

There are two cases in which you should add Service Portal users from the Users and Roles page:

  • A user who requires visibility of services across organizations (such as Scott, our IT Admin) needs to have an individual role, and doesn't need an organizational role.
  • A user who requires visibility of services across organizations and will manage VMs as a member of an organization needs to have both an individual role and an organizational role. In this case, you first add the user on the Users and Roles page, then add them to the organization (not the other way around). In this case, you first add the user to an organization, and then edit them on the Users and Roles page to provide an individual role. The user can then log into the Service Portal as a member of an organization, and can then switch between roles.

Creating organizations and adding members

Access through:

Configuration menu > Organizations and Quotas > Organizations Tab

Available to:

vCommander Role of Superuser, Enterprise Admin

A user can be a member of multiple organizations, and they can have a distinct role in each organization.

Before you create organizations, you may want to customize Service Portal roles.

If you have upgraded from a previous release, there are special considerations. See Moving Existing Users into an Organization instead.

To create an organization and add members:

  1. On the Organizations tab, click Add.
  2. On the Name and Members page of the Configure Organization dialog, provide a descriptive name for the organization (for example, "DevOps").

    Although you can click Finish at this point to create an organization with no members, you will typically add some members when creating an organization. To add new or existing users or groups as members of the organization, continue following the steps below.

  3. To add new users or groups, click Add User, then do the following in the Add User dialog:
    1. In the User/Group Name field, enter a local user's name or, for a directory service user or group, enter a valid directory service user name with the format <username@domain> and click ellipses.

      The user's information from the directory service is displayed. You can't change this information in vCommander.

    2. Complete the identification and contact information fields as required.

      The user's email address is used to:

      • notify the user about policy actions
      • notify the user about service requests
      • Passwords for local accounts are encrypted and stored in the vCommander database.

    3. The User Enabled option is selected by default. Clear this option if you don't want the account enabled upon creation, which prevent users from immediately logging in to vCommander or the Service Portal.
    4. From the Portal Role menu, choose a role for the users in the organization.
    5. By default, a key pair is required to open a secure SSH connection to Amazon EC2 Linux and Solaris instances. See Enabling Key Pair SSH Connections to Amazon EC2 VMs to learn how to set this up. To associate key pair credentials with this user account, do one of the following:
      • Choose existing key pair credentials from the Key Pair Credentials list.
      • Click Add Credentials to create new key pair credentials.
    6. Click Add.

      The new user account is added to the list and is displayed on the information pane.

  4. To add users or groups that have already been added to vCommander, do the following:
    1. Click Add Existing User.
    2. In the Add Existing User dialog, select one or more users and groups.
    3. From the Portal Role menu, choose a role for the users in the organization.

      Optionally, enable Primary contact of this organization to configure the selected members as primary contacts who will automatically receive email notifications generated from workflows.

      The most common reason to set an organization manager as a primary contact is for service request approval. It can be useful to assign multiple contacts for each organization, so that multiple individuals automatically receive approval emails.

    4. Click Add.
  5. Click Next.
  6. On the Organization Properties page, you can optionally associate key pair credentials with the organization and select the Service Portal landing page.
    1. By default, a key pair is required to open a secure SSH connection to Amazon EC2 Linux and Solaris instances. See Enabling Key Pair SSH Connections to Amazon EC2 VMs to learn how to set this up. To associate key pair credentials with this organization, do one of the following:
      • To use existing key pair credentials, select one from the Key Pair Credentials list.
      • To add a new set of credentials, click Add Credentials.
    2. Select the Landing Page for this organization, keeping in mind that users will need the appropriate permissions to view the page you select. Options for the landing page are Dashboard, Cost Dashboard, Service Catalog and External Page. To learn more about setting user permissions, see Customizing Service Portal Roles for End Users.
  7. Click Next.
  8. On the Quotas page, you can optionally set quotas for the organization.

    For information on setting quotas for organizations and specific members, see Setting Quotas for vCommander Multi-Tenancy.

  9. If you have set a quota for the organization, on the Member Quotas page, you can also optionally set quotas for individual organization members.
  10. For information on setting quotas for organizations and specific members, see Setting Quotas for vCommander Multi-Tenancy.

  11. Click Finish.

Next steps

You're ready to create a customized cloud automation configuration for the organization. See Getting started with vCommander multi-tenancy.

Removing members from organizations

Access through:

Configuration menu > Organizations and Quotas > Organizations Tab

Available to:

vCommander Role of Superuser, Enterprise Admin

  1. On the Organizations tab, choose an organization and click Edit.
  2. On the Name and Members page, select one or more members and click Delete User.

    Caution: If this user doesn't have another role, the user will be completely deleted from the system. (It's also possible to delete your own account.) To prevent this, before deleting the member, assign the member an individual role from Configuration > Users and Roles, or add the member to another organization.
    If the user is a member of another organization or has an individual role outside of an organization, the user will be removed from this organization, but won't be deleted from the system.

  3. If the user owns VMs, you are prompted to decide whether to reassign ownership. If you don't reassign ownership, only organization members with the Show All Organization Services permission will be able to see these VMs. You can:
    • leave the deleted user as owner
    • remove the deleted user as owner
    • replace the deleted user with another owner by entering a user or group login or email address. If no matching user or group is found, an error is displayed.

Moving members to new organizations

If you need to move a user from one organization to another:

  1. Add the user to the new organization. This ensures that the user isn't deleted from the system when you remove the user from the original organization.
  2. Remove the user from the old organization.

Deleting organizations

Access through:

Configuration menu > Organizations and Quotas > Organizations Tab

Available to:

vCommander Role of Superuser, Enterprise Admin

Before you can delete an organization, you need to remove its asset assignments. For example, if you assigned an approval workflow to an organization, you need to edit the approval workflow to remove the organization assignment before you can delete the organization.

When you try to delete an organization that has assigned assets, vCommander will display a message informing you of the assets assigned to the organization.

Caution: Deleting an organization also completely deletes any of its members who don't have another role. To prevent this, do one of the following before deleting the organization:

  • Assign these members an individual role from Configuration > Users and Roles
  • Add these members to another organization

To delete an organization:

  • On the Organizations tab, select the organization and click Delete.