VCP6-CMA Study Guide – Section 4: Configure and Administer Tenants and Business Groups
I started to publish a draft study guide a while back for the VCP-CMA beta exam, and never really finished it before I sat the exam itself. I have two more sections completed (out of ten, poor!) so I’m putting them out there for folks to reference. The exam itself is still in the beta process and has not been released to schedule, but I’m guessing they’ll be trying to get it ready for VMworld next month.
I wrote a previous post about my beta exam experience, which you can read here but it may well not reflect the finished article (i.e the released exam). Anyway, on with Section 4 of the study guide.
Objective 4.1: Create and Manage Business Groups
Identify Business Group roles and their specific privilege levels
- A business group associates a set of services and resources to a set of users, often corresponding to a line of business, department, or other organizational unit.
- Business groups are managed on the Infrastructure tab but are used throughout the service catalog. Entitlements in the catalog are based on business groups. To request catalog items, a user must belong to at least one business group.
- A business group can have access to catalog items specific to that group and to catalog items that are shared between business groups in the same tenant. In IaaS, each business group has one or more reservations that determine on which compute resources the machines that this group requested can be provisioned.
- A business group must have at least one business group manager, who monitors the resource use for the group and often is an approver for catalog requests. In IaaS, group managers also create and manage machine blueprints for the groups they manage. Business groups can also contain support users, who can request and manage machines on behalf of other group members.
- Business group managers can also submit requests on behalf of their users. A user can be a member of more than one business group, and can have different roles in different groups.
Identify and Manage Business Group Manager role
- Manages one or more business groups.
- Typically a line manager or project manager.
- Business group managers manage catalog items and entitlements for their groups in the service catalog.
- They can request and manage items on behalf of users in their groups. They are also service architects in Infrastructure as a Service.
- Responsibilities include:-
- Create and publish business group–specific machine blueprints from IaaS.
- Manage business group–specific catalog items and entitlements.
- Monitor resource usage in a business group
Identify and Manage Support User role
- A role in a business group.
- Support users can request and manage catalog items on behalf of other members of their groups.
- This role is typically an executive administrator or department administrator
- Request and manage items on behalf of other users within their business groups.
Identify and Manage User role
- Presumably this means the “Business User” role, which is an end user, or consumer of catalog items from the self service portal
- Request and manage services.
Assign Active Directory Users and Groups to Business Group Roles
- Done in the Infrastructure -> Groups -> Business Groups tab
- Under the User Role field, enter search string and click the search icon
- Select AD user or group you want to add and then click OK
Create and manage Machine Prefixes
- Machine prefixes are added to VMs provisioned from within vRA but can be overridden if need be by Business Group managers
- Managed within the Business Group by clicking the ellipsis to the right of the field for default machine prefix
- Either select existing machine prefix or create a new one by entering the machine prefix, number of digits and next number (eg. vm-001)
- Machine prefixes are shared across all tenants and must be created by a fabric administrator
- Can also be created and managed under Infrastructure -> Blueprints -> Machine Prefixes
Identify and Configure Custom Properties
- You can add custom properties to a blueprint to specify attributes of a machine or to override default specifications.
- You can also add build profiles to a blueprint as a convenience for specifying multiple custom properties
- A machine owner, business group manager or fabric administrator can add, change, or delete custom properties for a provisioned machine.
- Custom properties can be added to Business Groups by editing the Business Group, scrolling to the bottom and clicking “New Property”. Add a name, value and whether or not you want to encrypt it (usually only used for passwords) and whether or not to prompt the user for a value (machine name, for example).
- Custom properties can be used for various tasks including for example placing all VMs from a certain Business Group into a vCenter folder for management
- Custom properties can also be added to Blueprints
- Custom properties can be marked as required values when creating a blueprint
- The Windows guest agent records property values on the provisioned machine in the %SystemDrive %\VRMGuestAgent\site\workitem.xml file.
- The Linux guest agent records property values on the provisioned machine in the /usr/share/gugent/site/workitem.xml file
Objective 4.2: Create and Manage Tenants
Configure branding for the vRealize Automation console
- System administrators control the default branding for tenants. Tenant administrators can use the default or reconfigure branding for each tenant
- Log in to the vRealize Automation console as a system administrator or tenant administrator
- Select Administration > Branding.
- Clear the Use default check box.
- Create a banner.
- Click Choose File to upload a logo image. Follow the prompts to finish creating the banner.
- Click Next.
- Type the copyright information in the Copyright notice text box and press Enter to preview your selection.
- (Optional) Type the URL to your contact page in the Contact link text box and press Enter to preview your selection.
- Click Update. The console is updated with your changes.
Add and configure Tenant-specific inbound and outbound email notifications
- Tenant administrators can add an outbound email server to send notifications for completing work items, such as approvals.
- Each tenant can have only one outbound email server. If your system administrator has already configured a global outbound email server, you can override this at tenant level
- Select Administration > Notifications > Email Servers
- Click the Add icon
- Select Email – Outbound. Fill out the form as needed, choose to Test Connection if required
- Select Administration > Notifications > Email Servers
- Click the Add icon
- Select Email – Inbound, fill out the form as needed.
- Click OK.
Override and Revert to system default email servers
- To override these settings at tenant level, Select Administration > Notifications > Email Servers.
- Select the Outbound/Inbound email server.
- Click Override Global, fill out the form as needed
- If the system administrator has configured a system default outbound/inbound email server, tenant administrators can override this global setting.
Identify and add Identity Stores in vRealize Automation
- vRA uses the concept of Identity Stores to perform authentication of users and leverage existing users and groups to assign to roles.
- If the Identity Appliance is AD joined, the default tenant can use native AD mode (i.e not LDAP lookup)
- Any subsequent tenants must use LDAP
- Click Administration -> Identity Stores
- Click Add Identity Store to add a new identity store
- Choose a Name
- Select the type (OpenLDAP or Active Directory)
- Enter the URL for the identity store. For example, ldap://10.141.64.166:389 (636 for LDAPS).
- Enter the domain name of the identity store
- Enter an optional domain alias (shortens the login from the vRA appliance page)
- Enter the login user Distinguished Name. For example, cn=demoadmin,ou=demo,dc=dev,dc=mycompany,dc=com
- Enter the password for the identity store login user.
- Enter the group search base Distinguished Name. For example, ou=demo,dc=dev,dc=mycompany,dc=com.
- Enter the user search base Distinguished Name.
- Click Test Connection.
- Click Add.
Create and assign user roles to an Identity Store Group
- Log in to the vRealize Automation console as a tenant administrator
- Select Administration > Users & Groups > Identity Store Users & Groups.
- Enter a user or group name in the Search box and press Enter. (Do not use an at sign (@), backslash (\), or slash (/) in a name).
- You can optimize your search by typing the entire user or group name in the form user@domain.
- Click the name of the user or group to whom you want to assign roles.
- Select one or more roles from the Add Roles to this User list.
- The Authorities Granted by Selected Roles list indicates the specific authorities you are granting.
- (Optional) Click Next to view more information about the user or group.
- Click Update.
- Users who are currently logged in to the vRealize Automation console must log out and log back into the vRealize Automation console before they can navigate to the pages to which they have been granted access.