provides the ability to support
multi-tenant environments. A multi-tenant environment enables the division of
large physical infrastructures into logical entities called organizations. As a
result, you can achieve logical isolation between organizations without
providing a dedicated physical infrastructure for each organization.
The administrator can
assign unique resources to each tenant through the related organization in the
multi-tenant environment. These resources can include policies,
pools, device profiles, service devices, and so on. The administrator can use locales
to assign or restrict user privileges and roles by organization if access to
certain organizations needs to be restricted.
Users with the tenant-admin
role can see only those objects and resources that are related to their associated
tenants as defined by the locales and organizations assigned to them. They
cannot see the policies or resources of other tenants. Tenant-admin users can
view faults only for the resources (such as firewalls or load balancers) that they manage. They
cannot see diagnostic information or configure administrative options.
Users with the admin
role add a user with the tenant-admin role by associating the user with a locale and organization. For more
information about creating user accounts and assigning locales and
organizations, see the following topics:
The tenant-admin role has the following privileges:
provides a strict organizational
hierarchy as follows:
Virtual Data Center
The root can have
multiple tenants. Each tenant can have multiple data centers. Each data center
can have multiple applications, and each application can have multiple tiers.
The policies and pools
created at the root level are systemwide and are available to all organizations
in the system. However, any policies and pools created in an organization below
the root level are available only to those resources that are below that
organization in the same hierarchy.
For example, if a system
has tenants named Company A and Company B, Company A cannot use any policies
created in the Company B organization. Company B cannot access any policies
created in the Company A organization. However, both Company A and Company B
can use policies and pools in the root organization.