Revisiting Multi-Tenancy in vRealize Automation | Writing about tech and anything else I find interesting

Revisiting Multi-Tenancy in vRealize Automation

One of the things that I am asked about at each dot release of vRealize Automation is what changes to multi-tenancy have been introduced. While I took a fairly hard stance on this back in the 6.x days, I am pleased to say that I can hand on heart say that my misgivings have largely been put to bed.

The main issue that I had when describing multi-tenancy capability was that a Fabric Administrator had the ability to assign resources across tenants. This bleeding across tenants gave me real concerns about the viability of using vRA as a multi-tenant solution.

In vRealize Automation 7.1, a change was introduced that constrains the ability of a Fabric Administrator to assign Reservations - it is now only possible to assign Reservations to a Business Group within the tenant to which you are logged in. The caveat here is that if the Fabric Administrator has also been assigned the Infrastructure Administrator role then it will be able to assign Reservations across tenants. TLDR version: separation of duties and roles remains critical in a multi-tenant world.

So now, as a Service Provider (for internal or external clients) you can be responsible for adding an Endpoint, and then hand over the ability to carve resources out of it to your customer. We are getting closer!

In the sake of full disclosure, please remember that Fabric Administrators have visibility of Network Profiles. This means that we aren;t quite there yet, but we are pretty damn close.