Pivotal Cloud Foundry (PCF) Ops Manager 1.6.x and greater
If you have a multitenant PCF deployment on vSphere, depending on the security requirements of your organization you may need to restrict permissions for each tenant.
When deploying Ops Manager to vSphere, Pivotal recommends creating a service account for with the VMware Administrator System Role. If this role is too permissive for your deployment, follow the procedure below to create a custom role.
1. Create a folder in vCenter for each PCF instance you deploy.
2. Create an account in vCenter for each PCF deployment. See the BOSH documentation for a list of the privileges BOSH requires in vCenter when deploying PCF.
3. Grant the following additional permissions for each account at the Datacenter level:
Datastore.AllocateSpace Datastore.Browse Datastore.FileManagement Datastore.DeleteFile Datastore.UpdateVirtualMachineFiles Network.Assign Resource.AssignVMToPool VirtualMachine.Config.AddNewDisk VApp.Import
4. Deploy each PCF instance in its own folder.
If you grant a user the Datacenter privileges in the previous step, the user can access networks and data that belong to other users within the same datastore. For greater separation, you can deploy each PCF deployment to its own datastore.