vCloud Director 9.5 – Multi-Site and Cross-VDC Permissions Requirement

I was recently asked by a colleague of mine on why the Organization Administrator role did not have access to multi-site nor Datacenter Groups which is a new feature inside of vCloud Director 9.5. As it turns out, my orgadmin did not have the permissions required either!

However, under my system administrator, I see it perfectly fine.

So, what gives? Well, this relates to the new Global Roles and Rights Bundles setup.

By default, organization administrators are NOT given the permissions required for multi-site or datacenter group (Cross-VDC) setup. Therefore, this is as expected but requires the new vCD 9.5 RBAC functionality to provide these permissions.

I will walk through setting this up so your organization administrator (or any specific role for that matter) can successfully access to the Datacenter Groups menu.

Starting with Rights Bundles –

From Provider H5 UI, navigate to Administration -> Access Control -> Rights Bundles 

I will be utilizing the Default Rights Bundle as where I’ll establish the correct permissions for multi-site and Datacenter groups. For Providers that want to monetize this, we can either fall back to the existing legacy rights bundle (see above with the Org IDs) or create a new rights bundle. Click on the radio button and press Edit –

Now we are presented with a screen that shows the different rights categories –

For the multi-site, we need to just scroll down a little bit and we can see the section under Administration. Expand and check the applicable boxes.

Cross VDC is at the bottom, scroll down and expand.

Click Save when finished. Now, we need to Publish this to all tenants or select tenants. In my environment, I am going to publish this to all.

Rights Bundles are a way of assigning specific permissions to organizations while Global Roles are a way of assigning rights to users within those organizations. Therefore, if an org does not have permissions to the specific permissions inside of an assigned rights bundle, it will not show within that organization – nor will it show any permissions! Any org must have a rights bundle attached to it.

Publish the Global Role –

Now, we need to place these permissions inside of the Organization Administrator role. In this example, I will need to add these specific permissions inside of the Org Admin role, and then publish it to my tenants.

So, let’s go ahead and modify my Organization Administrator role and add these permissions.

Scroll down and add in Multisite capability…

While adding VDC Group permissions…

Now we are ready to publish this to all tenants –

Now, let’s test it – it works! I can log in with my specific org admin users and now see Datacenter Groups and Multi-site configuration.

Now, what if I attempt to re-modify the Org Admin role and publish it to a specific tenant (i.e. remove these permissions from Wissam)?

Ah ha! Does not work, because we already have a role applied. Good failsafe.

This definitely provides quite a bit of opportunity to Providers on granular permissions and managing them. I will be also asking our team to revise this documentation that shows the org admin as having these permissions by default (which they do not).

Thanks!

-Daniel

3 thoughts on “vCloud Director 9.5 – Multi-Site and Cross-VDC Permissions Requirement”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.