I've just migrated this site to Jekyll, along with making use of VMware Clarity styling. Please excuse any formatting issues while I bed in the migration.

Revisiting Multi-Tenancy in vRealize Automation

One of the things that I am asked about at each dot release of vRealize Automation is what changes to multi-tenancy have been introduced. While I took a fairly hard stance on this back in the 6.x days, I’m pleased to say that I can hand on heart say that my misgivings have largely been put to bed.

The main issue that I had when describing multi-tenancy capability was that a Fabric Administrator had the ability to assign resources across tenants – that bleed across tenants gave me real concerns about the viability of using vRA as a multi-tenant solution.

In vRealize Automation 7.1, a change was introduced that constrains the ability of a Fabric Administrator to assign Reservations – it is now only possible to assign Reservations to a Business Group within the tenant to which you are logged in. The caveat here is that if the Fabric Administrator has also been assigned the Infrastructure Administrator role then it will be able to assign Reservations across tenants. TLDR version – separation of duties and roles is critical in a multi-tenant world.

So now, as a Service Provider (for internal or external clients) you can be responsible for adding an Endpoint, and then hand over the ability to carve resources out of it to your customer. We’re getting closer!

In the sake of full disclosure, please remember that Fabric Administrators have visibility of Network Profiles – so we aren’t quite there yet, but we’re pretty damn close.