- Role-based access control
- Multi-tenancy: Provide exclusive management environment to your tenants
NetScaler MAS provides multi-tenancy functionality where you can configure the system for multiple tenants. Each tenant can add their network instances, manage, and monitor these instances and applications, and create their own users and groups. No tenant has visibility into the instances and applications of the other tenants. Only the system admin has visibility into all instances, applications, and reports of all tenants. However, the system admin cannot create users for the tenants. All system-level tasks can be performed only by the system admin.
Consider a scenario where an organization such as example.com has an infrastructure group and multiple business units within it. They want to centrally manage all instances in their network. However, they want to provide exclusive environment to each business unit.
The following image shows how the example.com organization infrastructure group is structured. They want each of the four business units to have exclusive management environments. This image also shows the number of instances each business unit wants to manage.
Chris, the ADC group head, is the system admin of NetScaler MAS. Chris creates two tenants for the two business units, Example-online and Example-Retail, and assigns two users as administrators of these tenants. Each tenant administrator can now add more users, add instances they want to manage, and create sub-tenants within their tenant environment.
The following image shows the tenants and users that are created in NetScaler MAS for this example.
In this example, Chris, the system admin creates two tenants: example-online and example-retail. While creating the tenants, Chris also creates a default admin user for each tenant.
1. Navigate to System > Tenants, and click Add.
2. On the Create Tenant page, specify the tenant name and the tenant user name whom you want to assign as the administrator for this tenant. Also, provide the password.
3. Click Create.
On the Tenants page, you can view the list of tenants that are created.
You can also view the list of admin users for each tenant on the System > User Administration > Users page.
When you create the tenants, two default system groups are created, admin group and read-only group for each tenant as shown in the image below. For example, example-online_admin_group and example-online_readonly_group are created for tenant example-online.
After the tenants are created, a tenant user can log on to NetScaler MAS using the tenant user credentials. To do so, a tenant has to provide both the domain name and the user name, for example, example-online\John.
After a tenant logs on, NetScaler MAS prompts the tenant to add instances. Click + New to add the instances you want to manage. Alternatively, you can click Do it Later and add the instances at a later time from the Infrastructure tab. For details, see Adding an Instance to NetScaler MAS.
In this example, John adds two NetScaler SDX instances.
Specify the instance type, the IP addresses (separated by comma), and the profile name that NetScaler MAS can use to access the instances, and then click OK.
John, the tenant admin, now wants to create a user for David so that David can monitor all the instances and applications of this tenant. However, Chris does not want David to perform any configuration task on the instances or change any system settings for the tenant. So, Chris creates a user david with readonly permissions.
1. Navigate to System > User Administration > Users and click Add.
2. On the Create System User page, specify the user name and password for the user you want to create.
3. Under Groups, select the group you want to assign to this user. In this example, the example-online_readonly_group is assigned to user david.
A tenant administrator can create sub-tenants if he wants to partition his tenant further. However, he can create only one level of sub-tenants. In this example, John creates two sub-tenants, example-digital and example-ecommerce. While creating these two sub-tenants, Chris assigns Jane and Mike as the admin user respectively.
To create a tenant within a tenant, follow the steps described in Adding Tenants.
You can view the tenants created on the Tenants page.
You can also view the permissions assigned to the users. Navigate to System > User Administration > Users, select a user, and click Edit.
On the Configure System User page, under Groups, you can view the groups assigned to that user. In this example, you can see that example-digital_admin_group is assigned to Jane.
As a tenant admin if you have already added instances to NetScaler MAS, you can assign the instances to users in your tenant or sub-tenants for management and monitoring. For example, John can assign one VPX instance to Jane for management purposes.
1. Navigate to System > User Administration > Group.
2. Select the group to which the user is assigned and click Edit.
3. On the Modify System Group page, on the Users and Instances tab, clear the All Instances check box.
4. Under Instances, select the instance you want the user to manage as shown in the figure below.