Managing Classic Organizations
Organizations, Users, and Roles
What Are Organizations
Organizations allow customers to limit the visibility of the data available to users in the VMware Tanzu CloudHealth Console. Using organizations, you can grant multiple stakeholders access to Tanzu CloudHealth without providing them access to data you do not wish them to see (e.g. the marketing department should see only the infrastructure running on behalf of marketing).
To create an organization, you associate it with one or more accounts containing the data you want visible. These accounts can include both cloud accounts (e.g., AWS) and accounts for the additional products and services you have integrated into Tanzu CloudHealth (e.g., Chef). Organizations may have overlapping data (e.g. both your Engineering and DevOps organizations might have access to a common set of accounts).
By default, every company has one default organization that contains all accounts and their corresponding assets. This is also known as the Global organization, since anyone assigned to this organization will have no restrictions on the data they can view. Administrative users can create as many additional organizations as required.
What Are Users
Users are any individual who has access to the Tanzu CloudHealth Console. Users must be authenticated to have access to the Console. There are two approaches to managing authentication using Tanzu CloudHealth:
- Tanzu CloudHealth as identity provider - The default approach to logging into Tanzu CloudHealth is to use our built-in authentication provider which is included with the service. This requires each user to login using an email address and password, and all users and roles are managed from within the Tanzu CloudHealth Console.
- External identity provider - Many customers use an external identity provider (e.g. Google, Active Directory Federation Service) for logging into their internal applications. Tanzu CloudHealth provides integration with many common identity providers (such as Google Apps and Azure Active Directory) to allow Single Sign On (SSO) to our Console. When using an external identity provider, the customer is responsible for managing the groups within their directory that grants users access with specific roles to Tanzu CloudHealth.
Organizations work the same for users authenticating through an external or Tanzu CloudHealth identity provider. The administration of organizations however, will vary based on these two approaches to authentication.
What Are Roles
Tanzu CloudHealth provides three default roles:
- Administrator: The administrator has access to all privileges across all data.
- Power Users: Power Users have the ability to perform all operations available to an administrator except the ability to create, edit, or delete organizations and users.
- Standard: Standard Users can view but not edit or delete data within Tanzu CloudHealth.
A role is typically assigned to a user at the time they are invited as users to the Console. For customers using Tanzu CloudHealth authentication, this can be done by clicking the Invite User button from the Users report. For customers who are using an external identity provider for Single Sign On (e.g. Google), adding users can be done by adding users to the appropriate groups in your directory.
In addition to the default roles, you can create your own custom roles that grant just the access you wish to your users. Combining organizations with roles allows you to limit both the data visible to your users, and the actions they can perform on this data.
A user can have only one role in Tanzu CloudHealth. This role however can be changed by users with the appropriate permissions.
How to Administer Users, Organizations, and Roles
Explains how to assign users, organizations, and roles in Tanzu CloudHealth.
A user is assigned both a role (e.g. Power User) and an organization (e.g. Engineering). If you are using Tanzu CloudHealth authentication, this assignment can only be done by a user with the Administrative role in Tanzu CloudHealth. If you are using an external identity provider for Single Sign On (e.g. Google), this can be done by making changes to your internal directory.
A user may be assigned to only one organization.
User Defined Content
In working within the Tanzu CloudHealth Console, users frequently create content, such as creating perspectives, saving reports, or creating quotes. We will refer to this content as user defined content in this documentation. All user defined content will reside in the organization in which it was created, and only users who are in that organization (or are Administrators) will be able to view this content.
If a user is moved from one organization to another, they will lose access to any user defined content they had created in their previous organization. For example, if the user Sly has created 2 RI Optimizer quotes and saved 5 reports while in the Engineering organization, they will no longer have access to these quotes or reports upon being moved to the DevOps organization. However, a user’s public content (e.g. saved reports, RI Optimizer quotes) is be deleted, and remains available to any user in the Engineering organization.
A user’s private saved reports are deleted when they move to a new Organization.
It is also important to note that there are three types of user defined content that currently have special characteristics:
- Accounts: Accounts for all integrations (e.g. Amazon, Google, Chef) do not reside in an organization, and can only be added, edited and deleted by users with the Tanzu CloudHealth administrator role.
- Users: Users do not reside in an organization, and can only be added, edited and deleted by administrators
Either in Tanzu CloudHealth if using our identity provider, or in your directory if using an external provider.
- Perspectives: While Perspectives will be visible across all organizations, they can only be created, edited or deleted from the default global organization. Perspectives can be managed by any Administrator or Power User in this default global organization.
An Organization Example
To illustrate organizations we will use a simple example of a company that is using Amazon and Chef to manage their infrastructure. They have three AWS accounts, each used for different types of infrastructure, and use a single internal private Chef server to manage all this infrastructure. They would like to provide access to three different groups within their company - engineering, operations and QA - but ensure each user can only access the necessary data for their function.
Below is a sample table showing how they might configure their three proposed organizations
The All organization represents the default global organization available to all customers.
| Organization | AWS Account #1 (Production) | AWS Account #2 (QA) | AWS Account #3 (Development) | Chef Account #1 (All) |
|---|---|---|---|---|
| All | ✓ | ✓ | ✓ | ✓ |
| Development | ✓ | |||
| QA | ✓ | |||
| DevOps | ✓ | ✓ | ✓ | ✓ |
Once the organizations have been created, the company can assign specific roles and organizations to users. For example, the following table shows the assignment of roles and organizations to different users in the company. As the Tanzu CloudHealth administrator, Joe has full access to everything in the Console. Andi however, only needs to work with Development infrastructure, and Thespina with QA.
| User | Role | Organization |
|---|---|---|
| Joe | Administrator | All |
| Andi | Power User | Development |
| Thespina | Power User | QA |
| Vikram | Power User | DevOps |
| Melodye | Standard User | DevOps |
Using Organizations
This section will show you how to use organizations.
Creating an Organization
To create an organization, go to the Setup menu and click on the Admin menu item, and then select Organizations.
Only users with the Administrator role can create organizations.
Click on the New Organization button to create your first organization and provide a name and description. This name appears throughout the product as you manage your organizations. When you are done, click Next to continue.
Assigning Accounts
The data accessible within an organization is defined by the accounts to associate with it. You can choose from any type of account (e.g. Amazon account, Chef account). To add accounts, select the type of account from the Account Type selector, and add these accounts to your organization using the Add button.
To allow complete flexibility in defining organizations, an account can be associated with more than one organization (e.g. you can assign a specific AWS account to both the DevOps and Engineering organizations).
When you are done adding organizations, click Next.
Assigning Users
You now can select the users you want in this organization. The left panel provides you a list of all your users and their current assigned organization (a user can belong to only one organization). The right panel provides you a list of the users you would like to assign to the newly created organization. Once you have assigned the appropriate users to this organization, click Next.
Reviewing Changes
After adding users, Tanzu CloudHealth ensures there are no issues with moving the proposed users from their existing to a new organization. If you are changing organizations for a user that has created user defined content (e.g. RI Optimizer quote, saved report), the user will no longer have access to this content upon moving to the new organization. The content is not deleted, and is still be accessible to users in the previous organization.
A user’s private saved reports are deleted when they move to a new organization.
If no user defined content will be impacted by the proposed move of a user, you will be informed that there are no issues and asked to confirm the proposed changes. Acknowledge that you want to proceed with your changes, and then click Create Organization.
If there are issues with the move, you will be informed what content will be impacted for each user. Your available options are to either make changes (e.g. do not move a user to this organization), or to accept the issues and finish creating the organization. As mentioned previously, user defined content (e.g. saved reports) will not be deleted on moving a user to another organization, and instead will remain behind in the organization in which it was created.
To accept the issues and continue, click the checkbox then click Create Organization.
Switching Organizations
Administrative users have the ability to switch between all the available organizations using the organization switcher located at the lower-left corner of the Tanzu CloudHealth platform.
By default, the organization switcher is enabled only for an administrator role. However, a custom role copied out of the administrator role with Switch Organizations privilege will be able to change the organization. This feature is disabled for Power users.
To a enable organization switcher for a custom role
- Go to Setup > Admin > Roles, and click the edit icon next to the role name.
- In the Privileges section, scroll down to Setup > Users > Switch Organizations.
- Click the toggle switch to enable the feature.
Once you switch to an organization from the list of available organizations, all reports get updated immediately to only show the information available to users of the selected organization.
Creating a Custom Role
While the three default roles that are provided with Tanzu CloudHealth typically cover the many common needs within a customer, there are times when you require finer control over what your users can do within the Tanzu CloudHealth Console. The solution for this is Tanzu CloudHealth roles, which provides you the ability to grant or deny detailed privileges to your users.
To create a custom role, go to the Setup menu and click on the Admin menu item, and then select Roles.
Click New Role to create a new role, and provide your role a name and description. The name must be unique. You can then select the specific privileges or groups of privileges you wish to assign to this role.
When you are done assigning privileges, click Save. You may now assign this role to users, which will constrain the menu items that are visible to them and the actions they can perform in the Tanzu CloudHealth Console.
You also have the option to copy an existing role, in order to more easily create additional roles by carrying over the current privileges. To do this, from the Roles page, click Copy:
Give your new role a name and description, then click Create Copy.
You can continue to define the role to fit your criteria on the Privileges page. When you are done assigning privileges, click Save.
Configure Organizations (Optional)
Configure organizations to determine which accounts and data a user has access to
Organizations determine which accounts and data a user has access to. Plan how many organizations you want to create and how you want to configure those organizations. For more information on planning organizations, refer to What Are Organizations, Users, and Roles topic. Tanzu CloudHealth recommends creating an organization for each subset of data you need to provide access to for your users.
- In Tanzu CloudHealth, go to Setup > Admin > Organizations.
- Select New Organization.
- Enter the name and a description of the organization and click Next. If you plan to invite users to Tanzu CloudHealth via single sign-on, the organization name must begin with the prefix
chtorg(for example,chtorg CloudHealth). - Select the accounts you want to assign to the organization and click Add. Then click Next.
- Because you will add users at a later step, click Next to skip adding users.
- Select the I confirm changes are correct checkbox and click Create Organization.
- Repeat steps 2-6 for all organizations.
Create a Custom Role (Optional)
Create a custom role to assign a combination of privileges not covered in the default roles
Tanzu CloudHealth provides three default roles you can assign to users:
- Standard User: Read-only privileges
- Power User: Full read, edit, and create privileges except in user and organization management
- Administrator: Full read, edit, and create privileges
If you want to assign a combination of privileges not covered in the default roles, create a custom role:
- Log in to the Tanzu CloudHealth platform and go to Setup > Admin > Roles.
- Select New Role.
- Enter a name and description for the custom role in the Details pane.
- In the Privileges pane, select the toggles to turn on and off role privileges as desired.
- Click Save.
You can also copy a default role by selecting the Copy icon on the Roles page and then renaming and modifying the copy.
Invite Users to Tanzu CloudHealth Via Tanzu CloudHealth Platform
Invite people in your organization to the Tanzu CloudHealth platform
Invite Users
- In the Tanzu CloudHealth platform, go to Setup > Admin > Users.
- Select Invite User.
- Enter the user’s name and email and select the user’s role from the dropdown.
- Click Invite User.
- Repeat steps 2-4 for all users and clouds.
Add Users to Organizations
- Go to Setup > Admin > Organizations.
- Edit an organization.
- In the Users tab, select the users you want to assign to the organization and click Add. Use the search bar to quickly locate users by keyword.
- Click Review Changes and then select the I have confirmed the changes to be made are correct checkbox. Click Save Users.
- Repeat steps 7-9 for all organizations.
Invite Users to Tanzu CloudHealth Via Single Sign-On
Use a SAML SSO provider to authenticate users into the Tanzu CloudHealth platform
Connect Tanzu CloudHealth to your single sign-on (SSO) identity provider (IDP) assertion. Once you do so, you can invite users to Tanzu CloudHealth only through your IDP. For more information on configuring an IDP, refer to the SAML SSO topic.
Different IDPs use different terminology to refer to the same concepts. For example, roles in Tanzu CloudHealth are called groups in Google Sign In.
Configure IDP with Tanzu CloudHealth
Provide your IDP with the following information to connect with Tanzu CloudHealth:
- Audience URI:
urn:auth0:cloudhealthtech:company-com - SSO Callback:
https://cloudhealthtech.auth0.com/login/callback?connection=company-com
Replace company-com with your domain (for example, google-com).
Configure IDP with Roles
Add your Tanzu CloudHealth roles to your IDP assertion with a roles attribute.
Default Roles
The default Tanzu CloudHealth roles use the following case-sensitive attribute values:
| Roles Attribute Value | Tanzu CloudHealth Role |
|---|---|
cloudhealth-administrator |
Administrator |
cloudhealth-power |
Power user |
cloudhealth-standard |
Standard user |
Custom Roles
If you created custom roles, use the custom role’s IDP name as its role attribute value.
To locate a custom role’s attribute value:
- Go to Setup > Admin > Roles.
- Click the View icon for the custom role.
- In the Details pane, locate the IDP Name field.
Contact Tanzu CloudHealth
Schedule a call with Tanzu CloudHealth to configure your IDP with Tanzu CloudHealth. Provide Tanzu CloudHealth support with the following information from your IDP:
- Endpoint url
- X.509 certificate in .pem format
Assign Organizations
Configure your organizations with your users. You can assign users to organizations via one of three methods:
- Assign users to a default organization: Use when you have only one organization or when the majority of your users should be assigned to one organization.
- Assign organizations via Tanzu CloudHealth: Use when you prefer to manage your organizations in the Tanzu CloudHealth Platform.
- Assign organizations via IDP: Use when you prefer to manage your organizations in your IDP assertion.
Assign Users to a Default Organization
- In Tanzu CloudHealth, go to Setup > Admin > Settings.
- In the Single Sign-On tab, select a default organization from the dropdown.
- Click Update Company Profile.
Assign Organizations via Tanzu CloudHealth
- Go to Setup > Admin > Organizations.
- Edit an organization.
- In the Users tab, select the users you want to assign to the organization and click Add.
- Click Review Changes. Select the I have confirmed the changes to be made are correct checkbox and click Save Users.
- Repeat steps 2-4 for all organizations.
Assign Organizations via IDP
Add your Tanzu CloudHealth organizations to your IDP assertion through an organization attribute. Note that some IDPs (such as Azure Active Directory) do not allow you to add organizations through the IDP.
To assign organizations via IDP, all your organization IDs must begin with the prefix
chtorg-. If your organization IDs do not begin with this prefix, contact Tanzu CloudHealth support.
To locate your organization ID:
- Go to Setup > Admin > Organizations.
- Click the View icon for an organization.
- In the Name tab, locate the IDP Name field.
- Repeats steps 2-3 for all organizations.
Configure User Session Length (Optional)
By default, the session length for users in Tanzu CloudHealth is Until the browser closes. To change the default browser length:
- In Tanzu CloudHealth, go to Setup > Admin > Settings.
- On the Edit Customer tab, go to the Settings pane.
- Select a session length from the dropdown menu.
- Click Update Company Profile.
Administration Best Practices
Explains best practices when creating and managing users, organizations, perspectives, and AWS reserved instances.
When To Create Organizations
Organizations provide scoped data access to Tanzu CloudHealth users. You should create organizations in order to limit the data available for one or more users within your company. There is no limit to the number of organizations you can create, and they are fast and easy to use. A best practice is to create a unique organization for each subset of data you need to provide access to for your users.
How To Manage Perspectives
While Perspectives are created and managed by Administrators and Power Users within the default global organization, they are accessible to all your users within Tanzu CloudHealth. Users scoped to an organization other than the default global one will not be able to create, edit or delete Perspectives. It is therefore necessary to have one or more users responsible for managing perspectives across all organizations.
Managing Organizations Through Single Sign On (SSO)
If you are using an external identity provider (e.g. Google Apps) to authenticate to the Tanzu CloudHealth Console, you are responsible for managing the roles and organizations for your users. To add a new user to the Tanzu CloudHealth Console, add them to the appropriate default group within your directory (below screenshot shows the Google Groups within Google Apps a user manages for users accessing Tanzu CloudHealth through Google SSO).
The first time a user logs into the Tanzu CloudHealth Console via SSO, they will need an organization assigned. You can specify this SSO-default organization by editing your company profile.
It is recommended that you create a least-privilege organization to use for new SSO users, and then assign them to their proper organization after they first login.
Moving Users Between Organizations
The only user defined content that will be lost in moving users between organization will be any private content: BI Reports, budgets, policies, RI quotes, and saved reports. Public content will remain in the organization in which it was created, even if the user is later moved to another organization.
While there is no risk of losing content (other than a user’s private data), moves of users can still result in some nominal impact to the moving users and the users of their previous organization.
For example: If a private policy was configured to alert multiple users, after the user is moved, the policy will be deleted and the other recipients will no longer receive these alerts.
As a best practice, it is recommended that Tanzu CloudHealth administrators proactively notify users before changing their assigned organization.
Managing AWS Reserved Instances
The full functionality of Tanzu CloudHealth is accessible to users within an organization, including the ability to buy, modify and report on reserved instances. Since organizations are typically comprised of a subset of AWS accounts, Tanzu CloudHealth administrators should be cautious in allowing users to manage reservations from within an organization.
Due to the “floating” of reservations across accounts linked to a consolidated billing account, users within organizations that do not contain an entire billing family (i.e. a consolidated billing account and its linked account) could see under utilization of instances and reservations that does not actually exist when viewed in the context of all accounts. As an administrator you can choose to build organizations with entire billing families, or accept this risk. You can also limit through access control users’ ability to access these features within an organization.
Security Best Practices When Using the Tanzu CloudHealth Platform
Security and operational best practices to keep in mind when using the Tanzu CloudHealth Platform
Authentication, Authorization, and Auditing
Authentication
User Management/SSO
Leverage SSO for user authentication and authorization.
API Keys
Tanzu CloudHealth API keys are assigned and generated by a customer platform user with sufficient privileges defined in Roles. API keys are active as long as the user is active in the platform, as such, require immediate termination and rotation if the user is no longer authorized (left the company).
Note that SSO users and their API keys do not get automatically deleted when terminated or disabled in customer’s SSO Idp. It is responsibility of a customer to perform user management functions for users with API keys.
Users can be managed under Setup > Admin > Users.
Login Session Length
Adjust default user session timeouts based on your company security preferences.
Session length can be adjusted from 1 hour to unlimited (closed browser). Specify the session length at Setup > Admin > Settings.
Authorization
Roles
The Tanzu CloudHealth Platform allows for a very granular permission management for users. Tanzu CloudHealth recommends limiting default Administrative role to select few individuals tasked with managing users and permissions.
More information on roles and customizations are available in the Tanzu CloudHealth docs.
Organizations
Tanzu CloudHealth platform offers Organizations to further limit access and visibility into your company cloud resources based on your organizational structure.
Auditing
Platform user audit logs are available upon support request
Platform Data Collection
AWS accounts
- Only use IAM Roles for securely provisioning access to your AWS resources.
- Ensure external ID enforcement is configured in AWS account being collected.
- Ensure the IAM policy is restricted to only requested resources.
Agents
Depending on the environment risk, Tanzu CloudHealth provides an option to disable agent auto-update functionality during agent installation step.
General Best Practices
Maintain Up-to-date Contact Information
Maintain accurate business, technical, and billing contact information with Tanzu CloudHealth Technologies. Technical contact information will be used for sensitive security announcements and breach notifications, unless otherwise stated in the signed customer contract.
Best practice is to leverage alias or group email addresses instead of tying to specific individuals within your organization.
Work with your account manager to ensure your records have been updated in Tanzu CloudHealth CRM platform.
Platform Status
Tanzu CloudHealth Technologies maintains a public status page available at http://status.cloudhealthtech.com. Tanzu CloudHealth Platform customers are encouraged to subscribe to relevant incident and platform notifications.
