Case of Multiple tenants in vCAC

Before I start on the topic I wish to thank my readers. I’m blogging after more than four months, however I see my post is hitting consistently around 6000 hits per month. I’m surprised and pleased.

Disclaimer: This blog and any blog posts do not represent my current organization in any form.



Hope these are all genuine readers and getting most out of my blog.

When I thought about this post, I asked myself why we need multiple tenants. What are the use cases for the multiple tenants. Before we dive into use case, let’s first understand few roles and what they can do (a.k.a privileges).

  1. Tenant Administrator
  2. Infrastructure Administrator
  3. Fabric Administrator

When you first create tenant, you have to create two roles. Tenant Administrator and Infrastructure Administrator. At first thought I felt both these roles are unique to the tenant and responsible for managing tenants under which they are created. However it is not completely true. Tenant administrator controls tenant for which he is assigned but Infrastructure Administrator can control every other tenant’s infrastructure tab irrespective if he is infrastructure administrator for the tenant, all Infrastructure Administrators (of all tenants) can control infrastructure. In simple words, infrastructure administrator of any tenant can modify anything inside infrastructure tab.

However it is different discussing as to whether Infrastructure should do cross tenant administration. My first thoughts on this – Please do not mess with this one, however totally understand human errors behind this exposure. We make mistakes.

Another role we create is fabric Administrator, Fabric administrator again see infrastructure Tab and same principle applies as for infrastructure administrator.

Infrastructure Administrator role and Fabric Administrator role see common elements across the tenants


It is worth to note, Infrastructure tab is coming from IIS Web server of vCAC infrastructure.

Lets see what are these common elements are

For Infrastructure Administrators

  1. Under Endpoints –All endpoints you create/configure are visible to all infrastructure Administrator irrespective of tenants
  2. Under Endpoints -Endpoints Credentials – All endpoint credentials are visible all Infrastructure Administrator irrespective of tenants
  3. Monitoring (logs, Audit, Workflows) –Monitoring tab is visible across tenants to all infrastructure administrators
  4. Under Groups – Fabric is visible across tenants to all infrastructure administrators

Below is sample view of Infrastructure tab a Infrastructure administrator sees


Below flow chart I’m trying to explain where Infrastructure administrator spends most of the time



For Fabric Administrators

1. Reservations are visible across the tenants to all infrastructure administrators but you can do a little trick. Do no share fabric and it will give isolation at reservation level as well.

2. Machine Prefix – Machine prefix is visible across all the tenants to all infrastructure administrators. In below figure company-A fabric administrator can see company-B’s machine prefix and vice versa.


3. Manual Data collection requests option. This option is needed when you wish to update inventory of your vCenter into vCAC.

4. Network Profiles. These policies are visible across the tenants to all infrastructure administrators. It also means network policy created for company-A can be edited/deleted by fabric administrator of company-B


  5. Reservation Policies. I will explain the actual use of reservation policy in future posts


Below is sample view of Infrastructure tab a fabric administrator sees



Below flow chart I’m trying to explain where Fabric Administrator spends time



Everything after this is very specific to tenants. Following things are controlled by Tenant Administrators

  1. Tenant Administrator creates Blueprints
  2. Tenant Administrator creates Business groups
  3. Tenant Administrator creates services
  4. Tenant Administrator creates entitlement
  5. Tenant Administrator creates catalog
  6. Tenant Administrator creates Approval Policy
  7. Tenant Administrator creates & configure email servers (SMTP)

In below flow chart I’m trying to explain where tenant administrator spends most of this time


In below screen show Tenant A and Tenant B is controlled by Fabric, Tenant  and Infrastructure Administrators


Fabric Administrator and Infrastructure Administrator at both the ends can configure & control Tenants A & B and have full privileges across the tenants. Tenant A and Tenant B Administrator controls individual tenant configurations.

                                                                                                                                             HandyTips                                                                                                                              When you publish blueprint it become catalog. When you create service you add this catalog (published blueprint) to the service. Service can contain multiple catalog (published blueprints). Use firefox browser for better results with vCAC.


So you get true isolation/Multi-tenancy only at Blueprints, Services and catalog level. So answer to our main question is when we go for multiple tenants.

When we do NOT want Catalogs , blueprints and services to be shared.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s