Tenants

Overview

A Tenant in Morpheus is an isolated environment with unique users and workloads. The Master Tenant is the default Tenant in Morpheus, created upon installation. All other Tenants outside of the Master Tenants are Subtenants.

  • The Master Tenant is the default Tenant created during the installation of Morpheus

  • All Tenants created after installation are Subtenants. Only one Master Tenant can exist

  • The Master Tenant creates and controls all Subtenants.

  • Tenants are isolated environments with unique users, workloads, and Groups

  • The Master Tenant can share or assign its resources to Subtenants

  • Subtenants cannot share their resources with other Tenants

  • Subtenants cannot see resources from other Subtenants

  • Subtenants can only access Master Tenant resources that have been set to Public visibility or specifically assigned to the Subtenant

Roles

There are two Role types in Morpheus, Tenant Roles and User Roles. Understanding these Role types is key to effectively administering Role permissions in Morpheus. These two Role types are discussed in greater detail in this section.

Tenant Roles

Tenant Roles set the maximum permission levels for Users in the Tenant. User Role permissions will not exceed the permissions of the Tenant Role.

  • Tenant Roles set the maximum permissions for a Tenant

  • User Roles in a Tenant cannot exceed the permissions of the Tenant Role

  • A Tenant Role can be assigned to one or multiple Tenants

  • Tenant Roles determine Cloud access for the Subtenant such that all Clouds in the Master Tenant which have visibility set to Public will show as options in the Tenant Role Cloud Access tab

  • Only Master Tenant Clouds given access in the Tenant Role will be accessible in the Subtenant

Important

Tenant Roles cap permissions on all Subtenant User Roles. User Roles can be created in the Subtenant with lesser permissions than the Tenant Role allows. Tenant Roles are designed for a Master Tenant Admin to set max permissions for the Subtenant, and a Subtenant Admin to configure User Roles inside the Subtenant.

User Roles

User Roles determine feature, Group, and Instance Type access for all Users. In a multi-Tenant environment, there are two types of User Roles: Single-Tenant User Roles and Multi-Tenant User Roles.

  • Single-Tenant User Roles: These exist solely in the Tenant they are created in. All Roles created in a Subtenant will be Single-Tenant User Roles

  • Multi-Tenant User Roles: The Master Tenant can create Multi-Tenant User Roles. These Roles are automatically seeded into Subtenants and can be assigned to Subtenant Users. Changes to Multi-Tenant User Roles made in the Master Tenant are propagated to all Subtenants. However, once a Multi-Tenant User Role is edited inside a Subtenant, it is no longer linked to the Multi-Tenant User Role and becomes its own unique Role. It will no longer receive propagated changes.

Note

Multi-Tenant User Roles are intended to make Subtenant User Role creation easier, so Master Tenant Users do not have to re-create the same base Subtenant Users Roles for every Subtenant. Multi-Tenant User Roles are not a single Role across Tenants, but more like a template that creates new Subtenant User Roles that can then be managed in the Sub Tenant.

Tenants

The Tenants page displays a list of all Tenants. This page enables users to Create, Edit, and Delete Tenants. The list of Tenants displays the Tenant Name, Role, Total Instances, Total Users, and the Created Date.

Click the Tenant Name to drill into the Tenant View where you can again Edit or Delete the Tenant, as well as Create Users, Edit Users, and Delete Users users belonging to the Tenant.

Create Tenants

To Create Tenants:

  1. Select the Administration link in the navigation bar.

  2. Select the Tenants link in the sub navigation bar.

  3. Click the Create Tenant button.

  4. From the New Tenant wizard input:

    • Name

    • Description (optional)

    • Subdomain

    • Base Role

    • Currency

  5. Within the Advanced Options section, track customer data related to the Tenant if needed:

    • Account Number

    • Account Name

    • Customer Number

  6. Click the Save Changes

Edit Tenant

To edit a Tenant:

  1. Select the Administration link in the navigation bar.

  2. Select the Tenants link in the sub navigation bar.

  3. Click the Edit pencil icon on the row of the Tenant to edit.

  4. Edit the Edit Tenant settings.

Disabling Tenant

When disabling a tenant, they are not able to login and cannot be impersonated by another tenant. However all of their information will still remain in Morpheus and they may still receive notifications and alerts.

To disable a Tenant:

  1. Select the Administration link in the navigation bar.

  2. Select the Tenants link in the sub navigation bar.

  3. Click the Edit pencil icon on the row of the Tenant to edit.

  4. Uncheck the Enabled box.

Delete Tenant

To delete a Tenant:

  1. Select the Administration link in the navigation bar.

  2. Select the Tenants link in the sub navigation bar.

  3. Click the Delete trashcan icon on the row of the Tenant to delete.

  4. Confirm

Tenant Users

The Tenant View displays a list of users belonging to the Tenant and their Name, Username, Email, and Role.

From this page: Create, Edit, and Delete users within the Tenant.

Important

In versions 3.1.1 and 2.12.5 and later, a Multi-Tenant User Role must be created prior to adding Subtenant Users or the User will not save. In previous versions a default Multi-Tenant Role was seeded. Due to customer requests, the seeded role was removed and a Multi-Tenant Role must be created by the Master Tenant for Subtenant Users.

Create Tenant User

To create a Tenant User:

  1. Select the Administration link in the navigation bar.

  2. Select the Tenants link in the sub navigation bar.

  3. Click the Tenant Name on the row of the Tenant where the user will be added.

  4. Click + ADD USER

  5. From the New User wizard, input the fields below:

    • First Name

    • Last Name

    • Username

    • Email address

    • Role (to be inherited by the user)

    • Password

    • Any default Windows or Linux credentials

Click SAVE CHANGES

Important

In versions 3.1.1 and 2.12.5 and later, a Multi-Tenant User Role must be created prior to adding Subtenant Users or the User will not save. In previous versions a default Multi-Tenant Role was seeded. Due to customer requests, the seeded role was removed and a Multi-Tenant Role must be created by the Master Tenant for Subtenant Users.

Edit a Tenant User

To edit a User:

  1. Select the Administration link in the navigation bar.

  2. Select the Tenants link in the sub navigation bar.

  3. Click the specific Tenant name from the row of available Tenants.

  4. Click the Edit pencil icon for your selected Tenant.

  5. Edit User information

    Note

    Name, Username, Passwords and e-mail addresses cannot be edited on Users created from Identity Source Integrations.

Click SAVE CHANGES

Delete Tenant User

To delete a Tenant User:

  1. Select the Administration link in the navigation bar.

  2. Select the Tenants link in the sub navigation bar.

  3. Click the Tenant Name from the row for the Tenant containing the user.

  4. Click the Delete trashcan icon of the row of the user to delete.

  5. Confirm

Subtenant User Login

Subtenant Users can have the same Username as the User on the Master Tenant or any other Tenant. Subtenant Users will now have to login using the subdomain prefix.

Important

Subtenant users will no longer be able to login from the main login page without specifying their subdomain.

Example:

I have a username subuser that belongs to a tenant with the subdomain subaccount. When logging in from the main login url, I would now need to enter in: subaccount\subuser

Configuring Tenants and Resources for Multi-Tenancy

A very common scenario for Managed Service Providers is the need to provide access to resources on a customer by customer basis. Several administrative features are available in Morpheus to ensure customer resources are properly scoped and isolated. With its built multi-tenancy capabilities and white label support, managed service providers have a wide range of capabilities when it comes to managing customer Tenants and users.

Tenants

There are essentially two types of Tenants in Morpheus

  • Master Tenant

  • Sub Tenants

During the initial setup of a Morpheus Appliance, the Master Tenant is created. All Tenants created in addition to this Master Tenant are sub-Tenants. There can only be one Master Tenant, and sub-Tenants cannot become the Master Tenant. The delineation between the Master Tenant and sub-Tenants is important to understand for properly scoping resources across Tenants.

Creating Tenants

The Master Tenant is created during the initial appliance setup. Additional sub-Tenants can be created in the Administration > Tenants section.

The Tenants page displays a list of all Tenants. This page enables users to: Create, Edit, and Delete Tenants. The list of Tenants displays the Tenant Name, Role, Total Instances, Total Users, Status (active or inactive) and the Created Date. Click the Tenant Name to drill into the Tenant View where you can edit or delete the Tenant, as well as create, edit and delete users belonging to the Tenant.

Note

At least one Tenant in addition to the Master Tenant is required to scope resources across Tenants.

To create a new sub-Tenant

  1. Select the Administration link in the navigation bar.

  2. Select the Tenants link in the sub navigation bar.

  3. Click the +Create Tenant button.

  4. From the New Tenant wizard input * Name (Required) * Description * Base Role * Currency (for pricing)

The Base Role defines a role set from which all roles created within the Tenant will inherit.

Note

In prior versions, we could set Limits when creating a Subtenant. These could restrict the amount of storage, memory, and CPUs that can be collectively provisioned by all users in the Tenant. In more recent versions, this functionality has been rolled into Policies (Administration > Policies). When creating a Policy, we are able to specify a Tenant to which the Policy should apply.

Click the Save Changes button.

The Create Tenant dialog box is shown

Viewing Tenants

To View an individual Tenant page, select the Tenant name from the main Tenants section.

../../_images/viewtenant.png

From inside the Tenant view, we can edit or delete the Tenant, as well as click into any of the Tenant’s users.

Tenant Users

To create a new user within the Tenant:

Click the CREATE USER button, then from the New User wizard input the fields below:

  • First Name

  • Last Name

  • Username

  • Email

  • Role

  • Password

  • Confirm Password

Click Save Changes.

Note

Users are specific to each Tenant. Users created in the Master Tenant or other sub-Tenants will only have access to the Tenant they are created in.

Impersonate Tenant User

Morpheus allows admin users in the Master Tenant to impersonate any user in the Subtenants to see the application as if they are that user. To impersonate a user, you must be logged in as a user with the “Impersonate User” feature enabled in the assigned role.

From inside a Tenant detail page (containing the list of that Tenant’s users), and in the specific user’s ACTIONS drop down, select “Impersonate”.

../../_images/configuring_multi_tenancy-9583a.png

This will log you in as that user in their respective Tenant. To log out of the impersonate users Tenant, select the username in the header, and then select “Quit Impersonating”

../../_images/configuring_multi_tenancy-d229b.png

Resources

In the Master Tenant, resources can be configured with private or public visibility:

  • Private Visibility: Only available to the assigned Tenant.

  • Public Visibility (option available in Master Tenant only): Available across all Tenants

Resources in the Master Tenant can also be assigned directly to Subtenants. When a resource is assigned to a Subtenant, it is only available for that Subtenant, and its visibility is automatically set to private. Public visibility is not an option for any resource assigned to or created in a Subtenant.

From the Master Tenant, the following resources can be configured for public visibility across all Tenants, or assigned to individual sub-Tenants

  • Clouds

  • Hosts

  • Virtual Machines

  • Networks

  • Datastores

  • Resource Pools

  • Folders

  • Virtual Images

  • Library Instance Types

  • Pricing

  • Policies

  • Workflows

  • Roles

Note

Virtual Image Blueprints can be made available to multiple select Tenants when set to private.

Cloud Visibility & Assignment

To set the visibility of a Cloud to Public (shared across all Tenants) or Private (only available to the assigned Tenant):

  1. Navigate to Infrastructure > Clouds

  2. Select either the pencil/edit icon on the end of the cloud row, or click the name of the cloud and select “Edit” in the cloud page.

  3. From the “Visibility” drop down, select either “Public” or “Private”

  4. Select Save Changes in the footer of the Edit Cloud modal.

../../_images/configuring_multi_tenancy-349e2.png

When a cloud is set to Public visibility, it is available to be added to Subtenants. All Subtenants created after a Master Tenant cloud is set to public will automatically have clouds with public visibility added, and a group will be created for each available cloud matching the cloud name in the new Subtenant(s).

For Tenants created prior to a Master Tenant cloud being set to public visibility, the Subtenant will have the option to add that cloud but it will not automatically be added.

While the cloud will be available for Subtenants, the resources available in that cloud to the Subtenant(s) depends on the visibility or assignment of the individual resources.

Note

A Subtenant user must have sufficient role permissions and cloud access to add publicly available clouds. Master Tenant clouds settings cannot be edited from Subtenants.

Assign a Cloud to an Tenant

Important

When assigning a Cloud to a Tenant, all resources for that Cloud will only be available to the assigned Tenant. If a cloud is created in the Master Tenant and assigned to a sub-Tenant, it will no longer be available for use by the Master Tenant or any other sub-Tenants, although it can be assigned back to the Master Tenant, or to another sub-Tenant.

It may be preferable for service providers to share or assign their cloud resources, such as specific hosts, networks, resources pools and datastores, across sub-Tenants, rather than an entire cloud.

To assign a cloud from the Master Tenant to a Sub-Tenant

  1. Navigate to Infrastructure, Clouds

  2. Select either the pencil/edit icon on the end of the cloud row, or click the name of the cloud and select “Edit” in the cloud page.

  3. From the “Tenant” drop down, select the Tenant to assign the cloud to. The visibility will automatically be set to “Private” when a cloud is assigned to a sub-Tenant.

  4. Select Save Changes in the footer of the Edit Cloud modal.

../../_images/configuring_multi_tenancy-c907d.png

When a cloud is assigned to a sub-Tenant, or assigned to the Master Tenant with private visibility, that cloud and all of its resources are only available to the assigned Tenant. The Master Tenant still maintains control and visibility, and can edit the cloud settings or re-assign the cloud.

Individual Resource Visibility & Assignment

Similar to clouds, individual resources from the Master Tenant can be set to public and available to sub-Tenants, or assigned to sub-Tenants.

By default, any host, virtual machine, bare metal server, network, resource pool, datastore or blueprint added, created or inventoried by an Tenant is assigned to that Tenant. If these resources are in the Master Tenant, they can be assigned to sub Tenants. Assigning one of these resources will make it unavailable to the Master Tenant, but it will still be visible and editable by the Master Tenant. This allows Master Tenant resources to be isolated for use by sub-Tenants while still under the control of the Master Tenant.

Resources assigned to sub-Tenants from the Master Tenant will be visible and available for use by that sub-Tenant, however they cannot be edited or re-assigned by the sub-tenant.

Set the Visibility of a Host, Virtual Machine or Bare metal Server to Public or Private

  1. From the Master Tenant, navigate to Infrastructure, Hosts

  2. Select either the Hosts, Virtual Machines or Bare Metal tab

  3. Click the name of the resource

  4. Select Edit in the resource page to bring up the config modal

  5. From the “Visibility” drop down, select either “Public” or “Private”

  6. Select Save Changes

../../_images/configuring_multi_tenancy-d738d.png

Assigning a Host, Virtual Machine, or Bare Metal server to an Tenant

  1. From the Master Tenant, navigate to Infrastructure, Hosts

  2. Select either the Hosts, Virtual Machines or Bare Metal tab

  3. Click the name of the resource

  4. From the “Actions” dropdown in the the resource page, select Assign Tenant

  5. In the Assign Tenant modal, select the Tenant to assign the resource to.

  6. Select Execute in the modal

../../_images/configuring_multi_tenancy-3c39f.png

The resource will now be assigned and available for use by the assigned Tenant. If assigned to a sub-Tenant, the Master Tenant will maintain visibility and control.

Set the Visibility of a Network to Public or Private

  1. From the Master Tenant, navigate to Infrastructure, Network

  2. Select either the pencil/edit icon in the network row, or click the name of the network and select “Edit” in the network page.

  3. From the “Visibility” drop down, select either “Public” or “Private”

  4. Select Save Changes in the modal

../../_images/configuring_multi_tenancy-bc333.png

Assign a Network to an Tenant

  1. From the Master Tenant, navigate to Infrastructure, Network

  2. Select either the pencil/edit icon in the network row, or click the name of the network and select “Edit” in the network page.

  3. From the “Tenant” drop down, select an Tenant to assign the network to.

  4. Select Save Changes in the lower the modal

../../_images/configuring_multi_tenancy-9f15c.png

The Network will now be assigned and available for use by the assigned Tenant. If assigned to a sub-Tenant, the Master Tenant will maintain visibility and control.

Set the Visibility or assign a datastore to an Tenant

  1. From the Master Tenant, navigate to Infrastructure, Storage

  2. Select the “Data Stores” tab

  3. Select Edit from the “Actions” dropdown in the datastores row

  4. From the “Visibility” drop down, select either “Public” or “Private”

  5. From the “Tenant” drop down, select the Tenant to assign the datastore to.

    Note

    If assigned to a sub-tenant, the visibility will be automatically set to private.

  6. Select Save Changes in the modal

../../_images/configuring_multi_tenancy-1e978.png

Set the Visibility or assign a Virtual Image to an Tenant

  1. From the Master Tenant, navigate to Provisioning, Virtual Images

  2. Select Edit from the “Actions” dropdown in the Virtual Images row

  3. From the “Visibility” drop down, select either “Public” or “Private”. Public will share the

  4. From the “Tenant” field, start typing the name of the Tenant to assign the Virtual Image to. Matching Tenants will populate, then select the Tenant to add.

    Note

    Virtual Images can be set to Private, but accessible to more that one Tenant

#. Repeat step 4 for all Tenants requiring access to the virtual image. .. To remove access for an Tenant, click the “x” next to the Tenant name #. Select Save Changes in the modal

../../_images/configuring_multi_tenancy-d9abe.png

The Virtual Image will now be available for use by the assigned Tenants.