NetIQ Documentation: PlateSpin Protect 10.4 User Guide - Setting Up Protect Multitenancy on VMware

5.3 Setting Up Protect Multitenancy on VMware

PlateSpin Protect includes unique user roles (and a tool for creating them in a VMware datacenter) that make it possible non-administrative VMware users (or “enabled users”) to perform Protect lifecycle operations in the VMware environment. These roles makes it possible for you, as a service provider, to segment your VMware cluster to allow multitenancy: where multiple Protect containers are instantiated in your datacenter to accommodate Protect customers or “tenants” who want to keep their data and evidence of their existence separate from and inaccessible to other customers who also use your datacenter.

This section includes the following information:

5.3.1 Using Tools to Define VMware Roles

PlateSpin Protect requires certain privileges to access and perform tasks in the VMware Infrastructure (that is, VMware “containers”), making the Protect workflow and functionality possible in that environment. Because there are many of these required privileges, NetIQ has created a file that defines the minimum required privileges and aggregates them respectively into three VMware custom roles:

PlateSpin Virtual Machine Manager
PlateSpin Infrastructure Manager
PlateSpin User

This definition file, PlateSpinRole.xml, is included in the PlateSpin Protect Server installation. An accompanying executable, PlateSpin.VMwareRoleTool.exe,accesses the file to enable the creation of these custom PlateSpin roles in a target vCenter environment.

This section includes the following information:

Basic Command Line Syntax

From the location where the role tool was installed, run the tool from the command line, using this basic syntax:

PlateSpin.VMwareRoleTool.exe /host=[host name/IP] /user=[user name] /role=[the role definition file name and location] /create

NOTE:By default, the role definition file is located in the same folder with the role definition tool.

Additional Command Line Parameters and Flags

Apply the following parameters as needed when you use PlateSpin.VMwareRoleTool.exe to create or update roles in vCenter:

/create	(mandatory) Creates the roles defined by the /role parameter
/get_all_prvileges	Display all server-defined privileges

Optional Flags
/interactive	Run the tool with interactive options that allow you to choose to create individual roles, check role compatibility, or list all compatible roles.
/password=[password]	Provide the VMware password (bypasses the password prompt)
/verbose	Display detailed information

Tool Usage Example

Usage: PlateSpin.VMwareRoleTool.exe /host=houston_sales /user=pedrom /role=PlateSpinRole.xml /create

Resulting Actions:

The role definition tool runs on the houston_sales vCenter server, which has an administrator with the user name pedrom.
In the absence of the /password parameter, the tool prompts for the user password, which you enter.
The tool accesses the role definition file, PlateSpinRole.xml, which is located in the same directory as the tool executable (there was no need to further define its path).
The tool locates the definition file and is instructed (/create) to create the roles defined in the contents of that file in the vCenter environment.
The tool accesses the definition file and creates the new roles (including the appropriate minimum privileges for defined, limited access) inside vCenter.

The new custom roles are to be assigned to users later in vCenter.

(Option) Manually Defining the PlateSpin Roles in vCenter

You use the vCenter client to manually create and assign the PlateSpin custom roles. This requires creating the roles with the enumerated privileges as defined in PlateSpinRole.xml. When you create manually, there is no restriction on the name of the role. The only restriction is that the role names you create as equivalents to those in the definition file have all of the appropriate minimum privileges from the definition file.

For more information about how to create custom roles in vCenter, see Managing VMWare VirtualCenter Roles and Permissions in the VMware Technical Resource Center.

5.3.2 Assigning Roles In vCenter

As you set up a multitenancy environment, you need to provision a single Protect server per customer or “tenant.” You assign this Protect server an enabled user with special Protect VMware roles. This enabled user creates the Protect container. As service provider, you maintain this user’s credentials and do not disclose them to your tenant customer.

The following table lists the roles you need to define for the enabled user. It also includes more information about the purpose of the role:

vCenter Container for Role Assignment	Role Assignment Specifics	Propagate Instructions	More Information
Root of vCenter inventory tree.	Assign the enabled user the PlateSpin Infrastructure Manager (or equivalent) role.	For security reasons, define the permission as non-propagating.	This role is needed to monitor tasks being performed by the Protect software and to end any stale VMware sessions.
All datacenter objects where the enabled user needs access	Assign the enabled user the PlateSpin Infrastructure Manager (or equivalent) role.	For security reasons, define the permission as non-propagating.	This role is needed to allow access to the datacenter’s datastores for file upload/download. Define the permission as non-propagating.
Each cluster to be added to Protect as a container, and each host contained in the cluster	Assign the enabled user the PlateSpin Infrastructure Manager (or equivalent) role.	Propagation is at the discretion of the VMware administrator.	To assign to a host, propagate the permission from the cluster object or create an additional permission on each cluster host. If the role is assigned on the cluster object and is propagated, no further changes are necessary when you add a new host to the cluster. However, propagating this permission has security implications.
Each Resource Pool where the enabled user needs access.	Assign the enabled user the PlateSpin Virtual Machine Manager (or equivalent) role.	Propagation is at the discretion of the VMware administrator.	Although you can assign access to any number of Resource Pools in any location in the tree, you must assign the enabled user this role on at least one Resource Pool.
Each VM folder where the enabled user needs access	Assign the enabled user the PlateSpin Virtual Machine Manager (or equivalent) role.	Propagation is at the discretion of the VMware administrator.	Although you can assign access to any number of VM Folders in any location in the tree, you must assign the enabled user this role on at least one folder.
Each Network where the enabled user needs access. Distributed Virtual Networks with a dvSwitch and a dvPortgroup	Assign the enabled user the PlateSpin Virtual Machine Manager (or equivalent) role.	Propagation is at the discretion of the VMware administrator.	Although you can assign access to any number of networks in any location in the tree, you must assign the enabled user this role on at least one folder. To assign the correct role to the dvSwitch, propagate the role on the Datacenter (resulting in an additional object receiving the role) or place the dvSwitch in a folder and assign the role on that folder. For a standard portgroup to be listed as an available network in the Protect UI, create a definition for it on every host in the cluster.
Each Datastore and Datastore Cluster where the enabled user needs access	Assign the enabled user the PlateSpin Virtual Machine Manager (or equivalent) role.	Propagation is at the discretion of the VMware administrator.	The enabled user must have been assigned this role on at least one Datastore or Datastore Cluster. For Datastore Clusters, the permission must be propagated to the contained datastores. Not providing access to an individual member of the cluster causes both prepare and full replications to fail

The following table shows the role you can assign to the customer or tenant user.

vCenter Container for Role Assignment	Role Assignment Specifics	Propagate Instructions	More Information
Each resource pool(s) and folder(s) where the customer's VMs will be created.	Assign the tenant user the PlateSpin User (or equivalent) role.	Propagation is at the discretion of the VMware administrator.	This tenant is a member of the PlateSpin Administrators group on the PlateSpin Protect server and is also on the vCenter server. If the tenant will be granted the ability to change the resources used by the VM (that is, networks, ISO images, and so forth), grant this user the necessary permissions on those resources. For example, if want to you allow the customer to change the network where their VM is attached, this user should be assigned the Read-only role (or better) on all of the networks being made accessible to the customer.

vCenter Container for Role Assignment

Role Assignment Specifics

Propagate Instructions

More Information

Each resource pool(s) and folder(s) where the customer's VMs will be created.

Assign the tenant user the PlateSpin User (or equivalent) role.

Propagation is at the discretion of the VMware administrator.

This tenant is a member of the PlateSpin Administrators group on the PlateSpin Protect server and is also on the vCenter server.

If the tenant will be granted the ability to change the resources used by the VM (that is, networks, ISO images, and so forth), grant this user the necessary permissions on those resources. For example, if want to you allow the customer to change the network where their VM is attached, this user should be assigned the Read-only role (or better) on all of the networks being made accessible to the customer.

The figure below illustrates a Virtual Infrastructure in the vCenter console. The objects labeled in blue are assigned the Infrastructure Manager role. The objects labeled in green are assigned the Virtual Machine Manager role. The tree does not show VM folders, Networks and Datastores. Those objects are assigned the PlateSpin Virtual Machine Manager role.

Figure 5-1 Roles assigned in vCenter

Security Implications of Assigning VMware Roles

PlateSpin software uses an enabled user only to perform protection lifecycle operations. From your perspective as a service provider, an end user never has access to the enabled user’s credentials and is unable to access the same set of VMware resources. In an environment where multiple Protect servers are configured to use the same vCenter environment, Protect prevents possibilities for cross-client access. The major security implications include:

With the PlateSpin Infrastructure Manager role assigned to the vCenter object, every enabled user can see (but not affect) the tasks performed by every other user.
Because there is no way to set permissions on datastore folders/subfolders, all enabled users with permissions on a datastore have access to all other enabled users’ disks stored on that datastore.
With the PlateSpin Infrastructure Manager role assigned to the cluster object, every enabled user is able to turn off/on HA or DRS on the entire cluster
With the PlateSpin User role assigned at the storage cluster object, every enabled user is able to turn off/on SDRS for the entire cluster
Setting the PlateSpin Infrastructure Manager Role on the DRS Cluster object and propagating this role allows the enabled user to see all VMs placed in the default resource pool and/or default VM folder. Also, propagation requires the administrator to explicitly set the enabled user to have a “no-access” role on every resource pool/VM folder that he or she should not have access to.
Setting the PlateSpin Infrastructure Manager Role on the vCenter object allows the enabled user to end sessions of any other user connected to the vCenter.

NOTE:Remember, in these scenarios, different enabled users are actually different instances of the PlateSpin software.