This page describes how to set policies at the tenant level.
For details of how to set enterprise policies in allowed datacenters and public cloud regions, see Configure an enterprise in a cloud location.
For details of how to create and manage cloud tenants, see Manage enterprises
For details of how to configure a tenant for public cloud, see Manage enterprise credentials and properties
Set allocation limits for an enterprise to control resource usage
To control the use of resources, you can create allocation limits for
an enterprise
an enterprise in a cloud provider
an enterprise in a datacenter or public cloud region
virtual datacenters
To set limits for datastore tiers across more than one cloud location, create Abstract datastore tiers. See Abstract datastore tiers for storage service levels.
The platform will use these limits to decide if a user can deploy or reconfigure VMs or obtain more resources.
A Hard limit is the maximum amount of resources (e.g CPU, RAM, hard disk) that an enterprise may consume.
A Soft limit can trigger a warning for users and administrators that users are nearing the hard limits.
When a user exceeds (or tries to exceed) the limits, the platform displays messages and creates events. The administrator can display limits on the platform dashboards and they can help to forecast resource demand.
If a user tries to exceed the hard limits for resources that are checked during configuration, the platform displays an error.
Screenshot: Hard limit exceeded
And the platform also generates event messages for the user and the administrator. See Events table in the “Workload” section.
The platform optionally displays allocation limits on the dashboard for users with the appropriate privileges. It marks soft limits in orange and hard limits in red.
It can also display the enterprise usage and enterprise limits for Abstract datastore tiers, which are platform-wide storage service levels.
To set enterprise allocation limits:
Go to Users → edit an enterprise
Go to Allocation limits
Complete the dialog.
Allocation limit validation
To allow unlimited resources at this level, set the limits to 0
If you set a hard limit, you must also set a soft limit. The hard limit must be greater than the soft limit
You must set the hard limit above the level of resources that are already in use
In public cloud regions, the platform does not use repository (catalogue) features or limits.
Limit | Checked at | Description |
---|---|---|
Memory | Deployment | Total amount of RAM that may be used by VMs including hardware profiles assigned to VMs |
Virtual CPUs | Deployment | Total number of virtual CPU cores that may be used by VMs including hardware profiles assigned to VMs |
Local hard disk | Deployment | Total size of hard disk that may be used by VMs on hypervisor datastores and in public cloud providers |
External storage | Configuration | Total size of external storage that may be assigned to VMs |
VLANs | Configuration | Total number of private VLANs that may be defined. Note that a private VLAN is automatically created for every VDC, so this limit may restrict the number of VDCs that users can create |
Public /floating/NAT IPs | Configuration | Total number of public IPs, floating IPs (in public cloud), and NAT IPs that may be used |
Repository | Operations | Total size of NFS Repository space that may be used for the Catalogue including templates and instances (but not conversions). See Manage the datacenter catalogue? |
Virtual machines | Deployment | Total number of VMs that users can deploy in the location using their allowed resources |
DR protected virtual machines | Operations | Total number of VMs that users can protect with disaster recovery protection. |
Set a default role to limit tenant access to VDCs in a location
To give users different levels of access to virtual datacenters (VDCs) in specific providers or datacenters, administrators can assign a default role (with fewer privileges than user roles) for all VDCs in a location.
So this is a default value for the VDC role that you can set when you create or edit a VDC, that the administrator can later edit.
To control access for users of a tenant in a provider or cloud location with a default role:
Go to Users → create or edit an enterprise → Datacenters → edit a provider or an allowed location → Defaults
Select a default Role
Continue configuring the provider or location or click Accept
At the provider level, the platform will copy the default role to all provider regions. The default role for a region will apply to all new virtual datacenters in the region.
Privileges: Manage enterprise datacenter default roles, No VDC restriction
Users with the Manage roles and No VDC restriction privileges can then edit the role for the virtual datacenter and define exceptions. See Set a virtual datacenter role to limit user access.
Troubleshooting VDC creation
The platform may prevent a user from creating a VDC (even when they have the Manage virtual datacenters privilege) if they will not have enough privileges to work with resources in the VDC. This can occur if a restrictive default role will apply to the user. The default role applies to users without the "No VDC restriction" privilege. In order for these users to create a VDC:
the default role must have more privileges than an ENTERPRISE_VIEWER type role; or
the user must have the privilege to Manage roles so that this user is able to change the role of the virtual datacenter
Reserve physical machines for a tenant and restrict deployments
For a datacenter, you can reserve physical machines for a single enterprise and restrict deployments.
Privileges: Manage enterprise reserved servers
Before you begin:
Check that the physical machine is not already reserved or running VMs deployed by a different enterprise.
To reserve physical machines for an enterprise:
Go to Users → edit enterprise → Reservations
The platform will display a list of Available servers (Physical Machines) that are in the enterprise's Allowed datacenters. (See Allow a tenant to access datacenters and cloud providers).
Select the physical machine(s) in their Datacenter/Rack and drag them into the Reserved servers list
To restrict the enterprise so that it may only deploy on the physical machines reserved for it (and not on any others)
Mark the checkbox to Only use 'Reserved Servers'