Tenant Management

What is Tenant Management?

Tenant Management allows users to create and manage their organization structures based on their actual business scenarios. It also provides features such as project-based resource access control, ticket management, and independent zone management.

The Tenant Management feature is provided in a separate module. Before you can use this feature, you need to purchase the Plus License of Tenant Management, in addition to the Base License.

Definitions

Definitions related to Tenant Management:

Personnel and Permissions: The Tenant Management system is structured on the basis of personnel and permissions. You can create departments and roles based on your business needs, and grant a variety of permissions to your users.
Organization: Organization is the basic unit in Tenant Management. You can create an organization or synchronize an organization through 3rd-party authentication. The organizations can be categorized into the default department and the customized department. You can customize a new team and a sub-department. The new team, usually a company or subcompany (subsidiary), can be used to create multi-level departments. An organizational structure tree is displayed in cascade, and you can directly get a complete picture of the organization structure.
Note: Notice that project members can only view the organization structure where their team belongs to.
User: A user is a natural person that constructs the most basic unit in Tenant Management. There are local user and the 3rd-party user on ZStack Cloud.
- Local User: A user that is created on the Cloud. A local user can be added to an organization or a project, and attached to a role.
- 3rd-Party User: A user is that is synchronized to the Cloud through 3rd-party authentication. A 3rd-party user can be added to an organization or a project, and attached to a role, and changed to a local user.
Note:
- To log in to the Cloud, tenant management users need to use the Tenant login entry.
  - Local users log in to the Cloud via the Local User entry.
  - AD/LDAP users log in to the Cloud via the AD/LDAP User entry.
  - OIDC/OAuth2/CAS users log in to the Cloud from the 3rd-party application without the password.
- The admin and platform manager can view the list of all users.
- If you created an organizational structure tree on the Cloud, platform members can view only the list of users belonging to the organizational structure. If you did not create any organizational structure tree, platform members can view all users.
User Group: A user group is a collection of natural persons or a collection of project members. You can use a user group to grant permissions.
Role: A role is a collection of permissions that can be granted to users. A user that assumes a role can call API operations based on the permissions specified by the role. Roles are categorized into platform roles and project roles.
- Platform Role: After a user has a platform role attached, the user will have the management permission of the corresponding zone. Permissions of a platform role take effect only in the zone managed by the user.
- Project Role: After a user joins a project and have a project role attached, the user will have the permission to use the project and manage the data in the project.
Note:
- One user can have both platform roles and project roles attached.
- One user can have more than one platform role or project role attached.
- In a project, if a user has multiple project roles attached, the user will have all the permissions attached to the project roles.
3rd-party Authentication: The 3rd-party authentication service provided by the Cloud. It supports seamless access to 3rd-party authentication systems. Through the service, related users can directly log in to the Cloud and manage cloud resources. Currently, AD/LDAP/OIDC/OAuth2/CAS servers can be added.
- AD authentication:
  Active Directory (AD) is a directory service designed for Windows Standard Server, Windows Enterprise Server, and Windows Datacenter Server. AD provides an independent, standard login authentication system for increasingly diverse office applications.
  AD users or organizations can be synchronized to the user list or organization of ZStack Cloud via an AD server, while specified AD login attributes can be used to directly log in to ZStack Cloud.
- LDAP authentication:
  Lightweight Directory Access Protocol (LDAP) can provide a standard directory service that offers an independent, standard login authentication system for increasingly diverse office applications.
  LDAP users can be synchronized to the user list of ZStack Cloud via an LDAP server, while specified LDAP login attributes can be used to directly log in to ZStack Cloud.
- OIDC authentication:
  OpenID Connect (OIDC) is a set of authentication protocols based on the OAuth2 protocol, and it allows the clients to verify the user identity and obtain basic user configuration information.
  The user information can be synchronized to the Cloud according to the mapping rules via an OIDC server, and users of the OIDC authentication system can log in to the Cloud without the password.
- OAuth2 authentication:
  Open Authorization 2.0 (OAuth2) is a set of authorization protocol standards that can authenticate and authorize users to access related resources. The Cloud currently only supports authorization through the authorization code.
  The user information can be synchronized to the Cloud according to the mapping rules via an OAuth2 server, and users of the OAuth2 authentication system can log in to the Cloud without the password.
- CAS authentication:
  Central Authentication Service (CAS) is a set of single sign-on protocols that allow website applications to authenticate users.
  The user information can be synchronized to the Cloud according to the mapping rules via a CAS server, and users of the CAS authentication system can log in to the Cloud without the password.
Project Management: Project management allows you to schedule resources based on projects. You can create an independent resource pool for a specific project. By this way, you can better manage the project lifecycle (including determining time, quotas, and permissions) to improve cloud resource utilizations at granular, automatic level and strengthen mutual collaborations between project members.
Project: A project is a task that needs to be accomplished by specific personnel at a specified time. In Tenant Management, you can plan resources at the project granularity and allocate an independent resource pool to a project. The word Tenant in Tenant Management mainly refers to projects. A project is a tenant.
- When you create a project, you need to specify the resource quotas and reclaim policy, and add project members.
- The basic resources (instance offering, image, network, and other resources) on the Cloud are suggested to shared or created in advance.
Ticket Management: To better provide basic resources efficiently for each project, project members (project admins, project managers, or regular project members) can apply for tickets to obtain cloud resources. Tickets are reviewed and approved according to custom ticket review processes of each project. Finally, the admin, project admins, department managers, and the customized approvers approve the tickets. Currently, five types of ticket are available: apply for VM instances, delete VM instances, modify VM configurations, modify project cycles, and modify project quotas.
Process Management: Process management is part of ticket management that manages the processes related to the resources of projects. Processes can be categorized into default processes and custom processes.
- Default process: The project member submits a ticket to the admin, and then the admin approves the ticket. This process applies to the following scenarios:
  - The tickets that are not configured with a ticket process.
  - The tickets which apply for modifications on the project cycle.
  - The tickets which apply for modifications on the project quota.
  - If the custom ticket process is deleted, the tickets will be resubmitted automatically via the default ticket process.
- Custom process: The project member submits a ticket. The project member makes process settings via process management. Finally, the admin or project admin approves the ticket. This process applies to the following scenarios:
  - The tickets created to apply for VM instances, delete VM instances, and change VM configurations will be prioritized to be submitted via the configured, custom ticket process.
  - If you modify the valid ticket process, the tickets will be automatically resubmitted via this modified, custom ticket process.
  - If you modify the invalid ticket process, you need to resubmit the tickets manually by using this modified, custom ticket process.
My Approval: In the Cloud, only the administrator and project administrators are granted approval permissions. the administrator and project administrators can approve or reject a ticket. If a ticket is approved, resources are automatically deployed and allocated to the specified project.
Note: The platform admin and regular platform members do not have the permission for ticket management, and the menu My Approval is not supported for these two roles.

Architecture

The Tenant Management mainly includes four subfeatures, including project management, ticket management, independent zone management, and 3rd-party authentication.

Platform Management:
To effectively manage the Cloud, the platform user (platform admin/regular platform member) can cooperate with the super administrator to manage and operate the Cloud together. ZStack Cloud provides various system roles such as Platform Admin Role and Dashboard Role. You can also satisfy various usage scenarios by creating custom roles at the API level.
Project Management:
The project management is project-oriented to plan for resources. Specifically, you can create an independent resource pool for a specific project. Project lifecycles can be managed (including determining time, quotas, and permissions) to improve cloud resource utilizations at granular, automatic level and strengthen mutual collaborations between project members.
Ticket Management:
To better provide basic resources efficiently for each project, project members (project admins, project managers, or regular project members) can submit tickets to obtain cloud resources. Tickets are reviewed and approved according to custom ticket review processes of each project. Finally, the admin, project admins, department managers, and the customized approvers approve the tickets. Currently, five types of ticket are available, including applying for VM instances, deleting VM instances, modifying VM configurations, modifying project cycles, and modifying project quotas.
Independent Zone Management:
Usually, a zone corresponds to an actual data center in a place. If you isolated resources for zones, you can specify the corresponding zone admins for each zone to achieve independent managements of various machine rooms. In addition, the admin can inspect and manage all zones.
3rd-Party Authentication:
The 3rd-party authentication is a third-party authentication service provided by ZStack Cloud. You are allowed to seamlessly access the third-party login authentication system. The corresponding account system can directly log in to the Cloud to conveniently use cloud resources. Currently, you can add an AD/LDAP/OIDC/OAuth2/CAS server.

Differences in Roles and relevant Permissions

Definitions related to Tenant Management Account System:

admin: A super administrator who owns all permissions. Usually, the admin is the IT system administrator who have all the permissions.
Local User: A user that is created on the Cloud. A local user can be added to an organization, added to a project, and attached to a role.
3rd-Party User: A user that is synchronized to the Cloud through 3rd-party authentication. A 3rd-party user can be added to an organization, added to a project, and attached to a role.
Platform User: A user that is not added to a project yet, including platform admin and the regular platform member.
Platform Admin: A user that has the platform admin role attached. A platform admin who has been allocated a specified zone or all zones manages the data center of the allocated zone or zones.
Head of Department: The admin can assign a head for the department, and this role is used for identification only. When a head of department becomes a project member, the head of a department has the permission to check department bills.
Project User: A user who has joined a project, including project admin, project operator, and regular project member.
Project Admin: A user that has the project admin role attached. A project admin is responsible for managing users in a project, and has the highest permission in a project.
Project Manager: A user that has the project manager role attached. A project manager assists project admins to manage projects. One or more project members in the same project can be specified to act as project managers.
Department Manager: The admin can assign a department manager for the new team. It is a type of platform role and is responsible for the operation management of the entire department, including project management, ticket management, checking bills, and department critical resource monitoring.
Root Role: The root role is used to limit the permission scope of the custom role. The permission of a custom role is inherited from its root role, and is a subset of the root role permission.
Quota: A measurement standard that determines the total quantity of resources for a project. A quota mainly includes the VM instance count, CPU count, memory capacity, maximum number of data volumes, and maximum capacity of all volumes.
Project Reclaim Policy: You need to specify a project reclaim policy when you create a project. There are three types of project reclaim policy, including unlimited, reclaim by specifying time, and reclaim by specifying cost.
- Unlimited: After you create a project, resources within the project will be in the enabled state by default.
- Reclaim by Specifying Time:
  - When the expiration date for a project is less than 14 days, the smart operation assistant will prompt you for The license will be expired after a project member logs in to the Cloud.
  - After the project expired, resources within the project will be collected according to the specified policy. The policy includes disabling login, preventing project members from logging in to the Cloud, stopping resources, and deleting projects.
- Reclaim by Specifying Cost: When the project spending reaches the maximum limit, resources within the project will be collected according to the specified policy. The policy includes disabling login, preventing project members from logging in to the Cloud, stopping resources, and deleting projects.
Access Control: When you create a project, you can specify whether to allow or prohibit project members to or from logging in to the project within a specified time period. There are two types of access control policy: login allowed time and login prohibited time.
- Login Allowed Time: You can set the time when members in the project can log in to the project by day or week. After setting, the project members can log in to the project only during the login allowed time period.
- Login Prohibited Time:You can set the time when members in the project cannot log in to the project by day or week. After setting, the project members cannot log in to the project during the login prohibited time period.
Security group constraint: If you enable security group constraint, when a project member creates a VM instance, the VM instance must have one or more security groups attached.
- Before you can enable security group constraint for the project, make sure that the project security group quota is set to 1 or higher.
- If you enable the security group constraint for the project, a default security group is created when the project is created.

The tenant management system grants users a variety of permissions. The permissions of different user roles are as follows:

Differences in Accounts Login in Tenant Management
- Admin can log in to the Cloud via Account Login.
  By using Chrome or Firefox, go to the Account Login page via http://management_node_ip:5000/#/login. To log in to the Cloud, the admin must enter the corresponding user name and password.
  
  Figure 1. Main Login Page
- For users (platform admin, platform user, project admin, project manager, regular project member, or department manager), log in to the Cloud via Project Login.
  By using Chrome or Firefox, go to the Project Login page via http://management_node_ip:5000/#/ project. To log in to the Cloud, enter the corresponding user name and password. Specifically, the Cloud has two login entrances for Project Login as follows:
  - Local user: the user created on the Cloud. Log in to the Cloud via Local User.
  - AD/LDAP user: the 3rd-party user synchronized to the Cloud via the 3rd-party authentication. Log in to the Cloud via AD/LDAP User, as shown in Project Login Page.
  After the successful login, you can select the platform or project to be managed to log in to the corresponding management interface.
  
  Figure 2. Tenant Login Page

Feature Differences from Various Perspectives

Feature Menu	admin/Platform Admin/Regular Platform Member	Project Admin/ Project Manager	Department Manager	Regular Project Member
Organization	○	○	○	○
User	○	○	○	×
Role	○	○	○	○
Project Member	×	○	×	○
User Group	○	○	○	○
3rd-Party Authentication	○	×	×	×
Project	○	×	○	×
Process Management	○	×	×	×
My Tickets	×	○	×	○
My Approval	○	○	○	×

Differences in Permissions of Platform/Project Roles

Platform Roles: admin, platform admin, department manager, and regular platform user. The permissions corresponding to these roles are differentiated as follows:

Role	Difference
admin	A super administrator who owns all permissions.
Platform Admin	A platform admin is a type of administrator who has been allocated a specified zone or all zones, and assists the admin to jointly manage the Cloud. A platform admin has all the permissions that the admin has, except the following: A platform admin is allocated a specified zone or all zones, and has the permissions to manage resources in the zone or zones only. Currently, a platform admin is not granted relevant permissions to create or delete zones. A platform admin does not have the permissions related to ticket management, and the menu My Approval is not displayed for this role. A platform admin does not have the permissions related to certificate management, and cannot perform actions such as uploading a certificate.
Department Manager	The department manager is a role who has been allocated a specified department, which can be designated by the admin for the new team and responsible for managing the whole department. A department manager has the following permissions: View homepage: Allows you to view the summary of project resources in the department under the management only. View the Cloud monitor: Allows you to view the monitoring information of critical resources of the department under your management. View organizations: Allows you to view the organizational structure of the Cloud, but not to perform related operations. View users: Allows you to view the user information on the Cloud, but not to perform related operations. View user groups: Allows you to view the user group information, but not to perform related operations. Viewing roles: Allows you to view the system project roles of the Cloud, the project roles whose owner is the admin, and the project roles whose owner is the management department (and sub-departments). View projects and project-based operations: For projects under the managed department (and sub-departments), you can view, edit, and add project members. Setting a department, changing billing prices, generating project templates, and setting logon time limits for projects are not supported. Ticket approval: Supports ticket approval, but the menu Process Management is not displayed. View/Export bills: Allows you to view or export project bills and departmental bills of the department (and sub-departments) under your management.
Regular Platform Member	Platform members other than the platform admin. A Platform member has all the permission that the admin has, except the following: A regular platform member does not have the permissions related to ticket approval, and the menu My Approval is not displayed for this role. A regular platform member can view users who are in the same organizational structure only. Ungranted permissions.

Project Roles: project admin, project manager, and project member. The permissions corresponding to these roles are differentiated as follows:
- A project admin can specify one or more project members in the same project to act as project managers, assisting project admins to manage projects.
- A project manager has all the permissions that a project admin has, but

Advantages

The Tenant Management of ZStack Cloud has the following advantages:

Full-featured: Tenant Management provides users with a range of features such as organization structure managements, project-based resource access control, ticket management, and independent zone management.
User-friendly: Tenant Management allows you to manage the operation permissions of different roles in a multi-level organizational structure, making the organizational management more flexible and user-friendly.
Cost-effective: Each organization has different kinds of departments. In a traditional IT company, resources are allocated to these departments based on their actual needs, and permissions are assigned as needed as well. Against the backdrop of cloud migration, the management over the departments is achieved on the cloud to minimize the management costs.

Scenarios

Each organization has its own administrative departments. In a traditional IT company, resources are allocated to administrative departments based on their actual needs, and permissions are assigned as needed as well. After companies migrate their business to the cloud, they expect to enjoy the same experience in resources allocation and permissions assignment on the cloud, which is compatible with the management by administrative departments.

The Tenant Management of ZStack Cloud provides users with a range of features such as organization structure managements, project-based resource access control, ticket management, and independent zone management. Through the division of the organizational structure, it provides the same management as the administrative department and minimizes the management costs.

Organization

Create an Organization

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Personnel and Permissions > Organization. On the Organization page, click the plus sign to the right of Organization. Then, the Create Organization page is displayed.

On the displayed page, set the following parameters:

Name: Enter a name for the organization.
Description: Optional. Enter a description for the organization.
Type: Choose the type of the organization. You can add a new team (by default) or add a subdepartment.
Note: To add Subdepartment, you need to specify Upper Department from the subdepartment or new team that are already added.
Admin: Optional. Specify an appropriate user as the admin.
Department Manager: Optional. Specify a department manager for the new team to assist the admin to manage the department.
Note:
- A department manager is in charge of the operational management of the whole department, including project management, ticket approval, bill checks, and key resource monitoring.
- A user cannot be specified as the department manager if the user is already attached to other roles.
- A user cannot be attached to other roles if the user is specified as the department manager.
Quota Setting: The quota settings can be configured manually, and you can configure the quota settings for the following resources:
- Compute Resource: including memory, and the number of VM instances, running VM instances, CPU, GPU devices, elastic baremetal instances, and VM scheduling polices.
- Storage Resource: including the quantity of data volume, volume snapshot, available storage capacity, image, total image size, backup data, and available backup capacity.
- Network Resource: including the quantity of VXLAN network, L3 network, security group, VIP, EIP, port forwarding, load balancer, and listener.
- Other: including scheduled job, scheduler, resource alarm, event alarm, endpoint, and tag.

Operational Management