Starting with VMware Cloud Director 10.6, service providers can assign to organizations the rights to create and manage other organizations, making them sub-providers.

Note: This chapter includes information specific to the sub-provider role. You, as a sub-provider administrator, can perform all other tenant operations documented in this guide. However, other roles, apart from the system administrator role, cannot perform the operations available to you in the VMware Cloud Director Tenant Portal.

VMware Cloud Director 10.6 introduces the concept of the sub-providers in addition to the service providers and tenants. A sub-provider is a tenant persona that can create tenant organizations and manage them. A provider can empower a tenant organization to become a sub-provider by granting it the necessary administrative rights and a right to traverse into other organizations. You, as a sub-provider administrator cannot further grant these rights to your tenants.

The sub-provider administrator operates within the sub-provider organization and can perform the following operations:
  • Create organizations
  • Create, view, manage, and delete organization VDCs
  • Create, view, manage, and delete organization VDC networks
  • Switch in to organizations
  • Set up organization IdPs
  • Perform all standard tenant operations
  • Create and publish roles
  • Create and publish rights bundles
  • View external networks
  • Share and publish catalogs
  • Manage catalog subscriptions
Figure 1. Sample Greenfield Deployment
The provider manages the provider VDCs and grants resources. The sub-providers manage their organizations and the granted resources. Tenants manage their organizations and organization VDCs.
Figure 2. Sample Brownfield Deployment
A provider first grants sub-provider rights to the tenants. Then, the provider grants resources to the sub-provider and the sub provider can start creating their tenants.

A sub-provider organization can receive grants from more than one provider VDCs. See View All Provider VDCs Available to Your Sub-Provider Organization. You can use those grants, or in other words, the finite granted provider VDC resources, to create elastic Flex organization VDCs. See Create a VMware Cloud Director Organization VDC as a Sub-Provider.

You cannot exceed your granted resources. For example, if a provider has a provider VDC with 100 GB of memory reservation available, but they grant to your sub-provider organization 10 GB memory reservation, in your sub-provider organization, you can see only 10 GB memory reservation available.

Compute Overprovisioning

The total amount of CPU and memory reservation capacity granted by providers cannot exceed the physical memory capacity. However, providers can use the CPU allocation and Memory allocation limits to overprovision compute resources to sub-providers. Sub-providers can also overprovision CPU and memory to their tenants, but the compute guaranteed resources cannot exceed their respective grants. For example, if a provider has physical memory capacity of 100 GB in a provider VDC, they can grant the provider VDC to a sub-provider with allocated memory of 200 GB and memory reservation capacity of 50 GB. In the example, the provider overprovisions the memory allocation, but limits the sub-provider reserved memory capacity to 50 GB. The sub-provider can create an organization VDC with a total capacity of 200 GB. However, the total reserved memory capacity across all tenants of the sub-provider cannot exceed 50 GB.
Figure 3. Sample Memory Allocation
The provider grants physical memory to the sub-providers, which allocate memory to their tenants.

CPU and memory allocation and overprovisioning are identical.

Storage Provisioning

Providers can grant provider VDC storage policies to their tenants. Sub-providers can consume granted storage policies by publishing them to their tenant organization VDCs. Unlike CPU and memory, you cannot overprovision storage. As a sub-provider, you cannot allocate to your tenants more than your storage allocation. For example, if a provider has 100 GB of storage and grants to a sub-provider a storage policy with only 50 GB, the sub-provider can allocate to their tenant organization VDCs a total of 50 GB.

A provider can grant more storage than physically available. However, the sub-providers do not have any visibility into how much they are overprovisioning to their tenants because they do not know how much physical storage there is.

On the Cloud Resources tab, you can view all VM sizing, VM placement, and vGPU policies for your sub-provider organization.
Figure 4. Sample Storage Allocation
The provider grants physical storage to the sub-providers, which allocate storage to their tenants.

Provisioning Networking Resources

On the Cloud Resources tab, you can view all NSX edge clusters and network pools that your service provider granted to your sub-provider organization.

The behavior between VMware Cloud Director service providers and tenants is identical to the behavior between sub-providers and their tenants.

As a sub-provider administrator, you can create an edge gateway in the context of your tenant and connect the edge gateway to a provider gateway that you own. See Create an Edge Gateway Backed by an NSX Provider Gateway in the VMware Cloud Director Tenant Portal.

You can configure private IP spaces that you can use to give IPs and prefixes to your tenants. You can manage quotas for IP spaces that you own. See Managing IP Spaces in your VMware Cloud Director Tenant Portal.

You can configure a network that stretches from your sub-provider organization to the organizations of your managed tenants. In this scenario, your tenants can only connect to those networks without the ability to manage them. See Manage the Participating VDCs in a Data Center Group in the VMware Cloud Director Tenant Portal.

Limitations of tenant organizations that sub-providers manage

In VMware Cloud Director 10.6, if a tenant organization is not empty, there are limitations to changing its managing organization. An organization is considered to be empty when it has no VDCs or networking resources configured.
  • You cannot reassign a tenant organization managed by the System organization to a sub-provider.
  • You cannot reassign to the System organization a tenant organization that a sub-provider manages.
  • You cannot reassign to a different sub-provider a tenant organization already managed by a sub-provider.