VMware Cloud Director – Simple Rights Management with Bundles

As a VMware Cloud Provider, you have numerous options when it comes to giving tenants access to VMware Cloud Director (VCD) features. You can give tenants restricted access to the underlying system and offer fully managed services, or provide comprehensive feature access which allows tenants to use their resources in self-service way, or something in between.

However, what if you could offer different service levels to different tenants without burdening the operations team?

How could you quickly toggle feature access and create new monetization opportunities?

The answer is Rights Bundles.

Rights Bundles were introduced in VCD way back when it was still vCloud Director, in version 9.5.

A Rights Bundle is a collection of rights. The trouble is a Role is also a collection of rights, so some of the reaction to Rights Bundles was along the lines of, “Ok, cool. So now I have to define a role twice to give a user access to a feature instead of just once. Thanks!</end sarcasm>” You certainly could take that approach to rights management, but it’s not the way we developed it.

Rights Bundles vs. Roles

Now that we know how Rights Bundles are the same as Roles–collection of rights–it helps to also know how they’re different. A Rights Bundle is a collection of rights for the tenant organization. A Role is a collection of rights for a user. A Rights Bundle defines what a tenant organization has access to. A Role defines what an individual user has access to. Simple stuff. Also, Rights Bundles are always defined globally, and they can be applied to zero or more tenants. Roles can either be tenant-specific–defined within a single organization and only visible to that organization, or global–defined globally and applied to zero or more tenants. Putting all the pieces together looks something like this:

Block diagram of RBAC components in Cloud Director

Here’s where things get a bit trickier. With Rights Bundles, a Role, as seen by a tenant organization, will only contain the rights that are assigned to that tenant organization through its Rights Bundles. This is true whether the Role is tenant-specific or global.

This is a critical feature as it allows you to use Global Roles more effectively. A few pictures provide a clear explanation. The ‘Organization Administrator’ Role for a tenant should contain all of the rights that a tenant has access for.

We’ve already established that not all tenants get the same entitlements. How can you avoid creating a tenant-specific ‘Organization Administrator’ for each tenant organization? You make a Global Role that represents the entitlements of your most privileged tenant. Let’s assume this includes self-service of all the NSX bells and whistles. Your Global Role looks like this:

Edit dialog for Organization Administrator global role

Now you have two tenants, A and B.

You want A to have access to all the functionality; B requires a limited set of controls. By including these rights in the Rights Bundle assigned to A, and excluding them from B, you can apply the same Global Role to both tenants. An Organization Administrator in tenant A sees all the things:

View of Gateway Services rights for a user in Tenant A

While an Organization Administrator in tenant B doesn’t even know such a thing exists:

View of Gateway Services rights for a user in Tenant B (not visible)

One Global Role to maintain. Two very different tenant experiences from that Role. All made possible by Rights Bundles.

We’ve already looked at the first step to low maintenance rights management–create Global Roles that represent your most privileged tenants. You don’t need to create tenant-specific roles. The only other step is creating effective Rights Bundles. I propose creating Rights Bundles to match your tiers of service and any features that could be separately monetized.

This will vary from provider to provider, but the end result looks something like this:

View of Rights Bundles based on tiers of service and monetizable entitlements

I’ve created 3 Rights Bundles representing 3 levels of offering, from fully managed to highly self-service.

VM monitoring, dynamic routing, and CPoM are individual Rights Bundles for additional tenant upgrade options. And I’ve modified my tenant provisioning process (a vRO workflow…I like forms) to include a drop down for service tier and checkboxes for extra features. These inputs control assigning Rights Bundles to the newly provisioned tenant. Tenants can choose to upgrade or downgrade functionality post-provisioning. It’s as simple as adding or removing the corresponding Rights Bundle. The tenant’s roles automatically take the available rights into consideration. You can add as many Rights Bundles as you want to a tenant. The effective set of rights that a tenant user can have is set of rights from all Rights Bundles available to the tenant.

Are you using Rights Bundles effectively? If so, what’s your strategy? Still not convinced that Rights Bundles are a valuable addition to Cloud Director? Drop a note in the comments section!

Interested in adding an IAM solution to Cloud Director to complement your new rights management skills? Check out this post.