vRA without Windows – The Business Group API | Writing about tech and anything else I find interesting

vRA without Windows – The Business Group API

I’ve been asked a few times now if it’s possible to use vRA without Windows.

The typical use case for this is if you were only planning on using Advanced Services Designer (ASD) without the typical VM lifecycle management. Most recently, I was asked about this by Magnus Andersson of Nutanix, with regards to using the Horizon vCO plugin.

Deployment is of course a piece of cake, and without our .Net components slowing us down the performance is also quite nice.

The one dilemma with trying to do this, is that you need to entitle access to a Catalog Item to members of a Business Group. That’s the same Business Group whose configuration in the GUI shows up under the Infrastructure tab. That’s the Infrastructure tab that doesn’t show up until you nominate an Infrastructure admin which in turn requires you to install the IaaS bits.

Where this starts to get very interesting is that Business Groups (which you may hear referred to as “sub-tenants”) are actually managed by the AuthN service on the vRA Appliance.

So without further ado, let’s look at how we can make this work via the API.

Assumptions

  1. Identity Source is configured.

  2. Tenant Admin is defined.

Authenticating

See this post.

Creating the Business Group

Headers:

Content-Type: application/json

Accept: application/json

Authorization : Bearer

Request:

POST https:///identity/api/tenants//subtenants

Request Body:

{
  "@type" : "Subtenant",
  "name" : "ASD Business Group"
}

Note: The values associated here are examples, insert the appropriate values for your environment.

Adding Roles

Content-Type: application/json

Accept: application/json

Authorization : Bearer

Before you can add roles, you need to get your Business Group ID.

Request:

GET https:///identity/api/tenant//subtenants

Once you have the Business Group ID, you can build out the following URI to add roles to the group.

Request:

POST https:///identity/api/tenant/<tenant\_name>/subtenants/<tenant\_id>/roles

[
  {
    "@type" : "SubtenantRole",
    "name" : "Basic User",
    "scopeRoleRef" : "CSP_CONSUMER",
    "principalId" : [
      {
        "domain" : "melb.vmware.local",
        "name" : "VMware staff"
      }
    ]
  },
  {
    "@type" : "SubtenantRole",
    "name" : "Business Group Manager",
    "scopeRoleRef" : "CSP_SUBTENANT_MANAGER",
    "principalId" : [
      {
        "domain" : "melb.vmware.local",
        "name" : "gorchard"
      }
    ]
  },
  {
    "@type" : "SubtenantRole",
    "name" : "Support User",
    "scopeRoleRef" : "CSP_SUPPORT",
    "principalId" : []
  }
]

The result?

entitlement

The ability to create an entitlement and associate a Business Group with it without having to install the IaaS components.

Enjoy!