Pivotal Knowledge Base

Follow

How to restrict permissions in a multi-tenant Pivotal Cloud Foundry deployment on vSphere

Environment

Pivotal Cloud Foundry (PCF) Ops Manager 1.6.x and greater

Purpose

If you have a multitenant PCF deployment on vSphere, depending on the security requirements of your organization you may need to restrict permissions for each tenant.

When deploying Ops Manager to vSphere, Pivotal recommends creating a service account for with the VMware Administrator System Role. If this role is too permissive for your deployment, follow the procedure below to create a custom role.

Procedure 

1. Create a folder in vCenter for each PCF instance you deploy.

2. Create an account in vCenter for each PCF deployment. See the BOSH documentation for a list of the privileges BOSH requires in vCenter when deploying PCF.

3. Grant the following additional permissions for each account at the Datacenter level:

Datastore.AllocateSpace
Datastore.Browse
Datastore.FileManagement
Datastore.DeleteFile
Datastore.UpdateVirtualMachineFiles
Network.Assign
Resource.AssignVMToPool 
VirtualMachine.Config.AddNewDisk
VApp.Import

4. Deploy each PCF instance in its own folder.

If you grant a user the Datacenter privileges in the previous step, the user can access networks and data that belong to other users within the same datastore. For greater separation, you can deploy each PCF deployment to its own datastore.

Comments

Powered by Zendesk