Introduction
Warning: Alpha/experimental feature content follows
If you have installed VMware Cloud Director 10.5 you might have noticed a new disabled Feature Flag functionality called Three Personas. This is a preview of new capability that will be iteratively added to VCD in upcoming releases. However you can already use some of it today after enabling the feature flag.
This new feature creates ability to create sub-provider like organizations that have the right to manage other organizations while not having the full VCD system admin rights. In this first iteration the sub-provider cannot create such organizations or add them any resources, but can operate within their context on their behalf. While this is just scratching the surface of things to come, this already covers some use cases that were requested by many service providers. Namely the ability to enpower provider support team to manage certain tenant level operations in a subset of organizations without the ability to access the infrastructure related objects that only system admins should manage (PVDCs, Provider Gateways, VCs, …)
How to Get Started
After you enable the feature flag you will notice a new Default Sub-Provider Entitlement right bundle is created with new right Access Control: Organization: Administer and traverse into other organizations.
We need to create new global role “Sub-Provider Administrator” that we will clone from the Global Organization Administrator and add this new additional right to it.
Now we can create the Sub-Provider organization. We use the regular New Organization UI workflow. However notice we can see new Enable sub-provider option. When selected the Default Sub-Provider right bundle is automatically assigned to this organization.
We will publish the new Sub-provider Administrator global role to this organization.
Now you can create some users in this Sub-provider organization and assign them the new global role.
Now we can log in into the Sub-provider organization and can see that in the Administration > Organizations we see only our own organization.
This is because we have not yet been entitled to see other specific organizations. This step currently in VCD 10.5 requires API usage.
While logged in as system admin with the API version 39.0.0-alpha run the GET Org OpenAPI call on the organization you want to manage (ACME Org. in my case) as the sub-provider. Notice the new managedBy section in the output JSON.
By default every org is managed by System org. We will change it to our Sub-provider org and use PUT on the same Org endpoint.
You can immediately see in the Sub-provider Org UI that the ACME Org is accessible and we can traverse to it.
ACME Org in the sub-provider context.
Any tasks performed or objects created in the ACME Org within the sub-provider context will by marked/owned by SYSTEM.
