I was recently asked by a colleague of mine on why the Organization Administrator role did not have access to multi-site nor Datacenter Groups which is a new feature inside of vCloud Director 9.5. As it turns out, my orgadmin did not have the permissions required either!
However, under my system administrator, I see it perfectly fine.
So, what gives? Well, this relates to the new Global Roles and Rights Bundles setup.
By default, organization administrators are NOT given the permissions required for multi-site or datacenter group (Cross-VDC) setup. Therefore, this is as expected but requires the new vCD 9.5 RBAC functionality to provide these permissions.
I will walk through setting this up so your organization administrator (or any specific role for that matter) can successfully access to the Datacenter Groups menu.
Starting with Rights Bundles –
From Provider H5 UI, navigate to Administration -> Access Control -> Rights Bundles
I will be utilizing the Default Rights Bundle as where I’ll establish the correct permissions for multi-site and Datacenter groups. For Providers that want to monetize this, we can either fall back to the existing legacy rights bundle (see above with the Org IDs) or create a new rights bundle. Click on the radio button and press Edit –
Now we are presented with a screen that shows the different rights categories –
For the multi-site, we need to just scroll down a little bit and we can see the section under Administration. Expand and check the applicable boxes.
Cross VDC is at the bottom, scroll down and expand.
Click Save when finished. Now, we need to Publish this to all tenants or select tenants. In my environment, I am going to publish this to all.
Rights Bundles are a way of assigning specific permissions to organizations while Global Roles are a way of assigning rights to users within those organizations. Therefore, if an org does not have permissions to the specific permissions inside of an assigned rights bundle, it will not show within that organization – nor will it show any permissions! Any org must have a rights bundle attached to it.
Publish the Global Role –
Now, we need to place these permissions inside of the Organization Administrator role. In this example, I will need to add these specific permissions inside of the Org Admin role, and then publish it to my tenants.
So, let’s go ahead and modify my Organization Administrator role and add these permissions.
Scroll down and add in Multisite capability…
While adding VDC Group permissions…
Now we are ready to publish this to all tenants –
Now, let’s test it – it works! I can log in with my specific org admin users and now see Datacenter Groups and Multi-site configuration.
Now, what if I attempt to re-modify the Org Admin role and publish it to a specific tenant (i.e. remove these permissions from Wissam)?
Ah ha! Does not work, because we already have a role applied. Good failsafe.
This definitely provides quite a bit of opportunity to Providers on granular permissions and managing them. I will be also asking our team to revise this documentation that shows the org admin as having these permissions by default (which they do not).
11 thoughts on “vCloud Director 9.5 – Multi-Site and Cross-VDC Permissions Requirement”
i have the same problem. i published the new rights bundle to the tenants, modified the global roles and also published them.
i can still not see multi site an datacenter groups.
i created a new role and published it, same problem.
in the org roles view, i can also not see multi site or other “new” entries.
Are you able to see it from the system admin role? If so, then it’s not published to the org admin user. Note that you must publish it twice – one for the rights bundles and one for the role/group itself.
Yes, from the system admin role i can see it.
i created a new role and selected multi site:
i published the role to the tenant (without error)
The new role is available for the tenant, but as you can see here, the multi-site is not available:
Did you create a new rights bundle or a new role? Ensure you only have a single rights bundle published to a tenant. Can you modify the existing rights bundle for this org? If this was an upgrade, you will see a legacy rights bundle available to modify.
You can always open an SR too for further assistance, but this org does not have the multi site rights published from your second screenshot.
where can i see, which rights bundle is assigned to the ORG?
I had legacy bundles, i deleted them now and it works now.
You will need to use the API to find what is published and what is not in 9.5. There’s more capability in 9.7 for rights bundles. Glad it’s working now. Thanks!
I have 9.7 🙂 But i can’t find it anywhere?
I need to check to see if it made the release, but I know it was on the backlog. Perhaps it did not, might still need to use the API.