Tenant Management
The topics in this section describe how to manage tenants when is installed in Standalone mode. For information on managing tenants when is installed in Orchestrator mode, see Integrating with DCNM.
Tenant Management and Multi-Tenant Environments
provides the ability to support multi-tenant environments. A multi-tenant environment enables the division of large physical infrastructures into logical entities called organizations. As a result, you can achieve logical isolation between organizations without providing a dedicated physical infrastructure for each organization.
The administrator can assign unique resources to each tenant through the related organization in the multi-tenant environment. These resources can include policies, pools, device profiles, service devices, and so on. The administrator can use locales to assign or restrict user privileges and roles by organization if access to certain organizations needs to be restricted.
Users with the tenant-admin role can see only those objects and resources that are related to their associated tenants as defined by the locales and organizations assigned to them. They cannot see the policies or resources of other tenants. Tenant-admin users can view faults only for the resources (such as firewalls or load balancers) that they manage. They cannot see diagnostic information or configure administrative options.
The tenant-admin role has the following privileges:
-
Policy management
-
Resource configuration
-
Tenant management
-
root
-
Tenant
-
Virtual Data Center
-
Application
-
Tier
The root can have multiple tenants. Each tenant can have multiple data centers. Each data center can have multiple applications, and each application can have multiple tiers.
The policies and pools created at the root level are systemwide and are available to all organizations in the system. However, any policies and pools created in an organization below the root level are available only to those resources that are below that organization in the same hierarchy.
For example, if a system has tenants named Company A and Company B, Company A cannot use any policies created in the Company B organization. Company B cannot access any policies created in the Company A organization. However, both Company A and Company B can use policies and pools in the root organization.
Name Resolution in a Multi-Tenant Environment
In a multi-tenant environment, uses the hierarchy of an organization to resolve the names of policies and resource pools. The steps that takes to resolve the names of policies and resource pools are as follows:
-
checks the policies and pools for the specified name within an organization assigned to the device profile or security policy.
-
If the policy or pool is found, uses that policy or pool.
-
If the policy or pool does not contain available resources at the local level, moves up the hierarchy to the parent organization and checks for a policy with the specified name. repeats this step until the search reaches the root organization.
Note
The object name reference resolution takes an object name and resolves an object from an organization container to the object with the same name that is closest in the tree as it searches upward toward root. If an object with the specified name is not found, uses a corresponding default object. For example, assume that there is an SNMP policy under a data center named MySNMP and an SNMP policy in the tenant in the same tree that is also named MySNMP. In this case, the user cannot explicitly select the MySNMP policy under the tenant. If the user wants to select the SNMP policy under the tenant, they must provide a unique name for the object in the given tree.
-
If the search reaches the root organization and an assigned policy or pool is not found, looks for a default policy or pool starting at the current level and going up the chain to the root level. If a default policy or pool is found, uses it. If a policy is not available, a fault is generated.