How to create a new tenant in a Multitenant Environment
Proccess to create a new tenant
The purpose of this document is to show the users how to create a new wholesaler, a new partner, and a new tenant, and how to configure them for their usage.
Flexxible|SUITE Tenants Hierarchy
Flexxible|VDI Manager allows you to work with a whole infrastructure designed only for a unique client or a group of users. Simultaneously, you can also segment the users in multiple Tenants.
The tenant segmentation allows different functionalities such as:
Grouping all the users in a single View.
Giving tenants' user access to the console in such a way that the user can work or interact with the tenant elements due to its level of belonging to the console.
Enabling the Utilization and Accounting Logs for measuring resources used by the users in a tenant in order to retrieve the data needed for billing in cases of utilization payment.
Tenants Management Segmentation in partners and the ability to limit the visibility for the console users when it comes to environment management.
What is a Tenant?
A tenant is a group of users of the following types:
An entire organization, which we can provide our services throughout the console.
A department of a company or the location of a large corporation.
A pre-production environment to validate templates through change controls.
Flexxible|SUITE Smartworkspaces has three multi-tenancy levels:
Wholesaler Level: This is the root level, it has admin Access on the entire structure located under it.
Partner Level: This is the entity a Tenant depends on. It includes a default tenant (partner tenant). Through the default tenant, the partner has visibility and admin rights on the different tenants created for the specified partner.
Tenant level: A tenant is a group of resources and users assigned to a particular environment. In the Tenant view, we can perform the orchestration of the mentioned resources in a unified way.
How to create Tenants
As mentioned before, any multitenant environment requires a Wholesaler, a Partner, and a Tenant.
When you create a new Wholesaler, the “Partner Default” and the “Tenant Default” will be created automatically. These entities are mandatory and they should not be deleted (in case they are deleted, you should contact Flexxible to assign this entity to another Partner or Tenant as VDI OS Manager doesn´t support this action).
Just as it is implemented, the ‘Tenant Default’ of a partner will act as a Partner and at the same time, the ‘Tenant Default’ of the ‘Partner default’ will act as the Wholesaler.
To create a new Wholesaler, we should click on the “Wholesalers” menu option and then click on the “New” button.
To create a new wholesaler, it is mandatory to provide the following data:
- Name: The name of the wholesaler
- Desktop Access URL: This is the URL to access the desktops or published apps. This field can be used in the storefront for information only. In case a web interface (deprecated) is used, the correct URL should be included.
After clicking on the Save button, if we click on the Tenants menu option, we can verify that the ‘Partner Default’ and the ‘Tenant Default’ are already created.
In a given Tenant, you can see in the CODE column (See SS below), that a non-editable 3 characters alphanumeric code has been assigned to this tenant automatically. This code will be the unique identifier for this Tenant.
Starting with Flexxible|SUITE v 4.10, the "NextTenantCode" setting allows to set the next code to use for a new tenant or partner. This allows to start numbering for a new Flexxible|SUITE installation in a code different than the default "A00" (for example "CA2", or "M00"), or to change the next code for a new tenant or partner in an existing installation to a code higher than the last used one.
The value of "NextTenantCode" must be a code with exactly three digits. Valid digits are "ABCDEFGHJKLMNPQRSTUVWXYZ0123456789". Note that the "I" and "O" letters are not valid to avoid confusion with the numbers "1" and "0". The first digit must be a letter, since the tenant code is used as a VM naming pattern, and Citrix Virtual Apps & Desktops does not allow VM naming patterns to start with a numeric digit.
If the setting contains an invalid value, it will be ignored and the tenant numbering will continue following the last tenant code.
From now on, all the management activities will take place on this Tenant.
The partner’s name will be changed to the name of the Wholesaler and the Tenant’s name will include the name of the Wholesaler within the word “default” concatenated to it. In case you want to change these names you can rename them in the “Name” field in the Partner and in the Tenant respectively. Both are included in the Tenant menu option.
The ‘tenant default’ will always be displayed in bold in the Tenants list. That way it will be very easy to distinguish it from the other tenants.
At this point, we should follow the instructions indicated in the “How to Initialize a Tenant” section.
To create a new Partner you should click on the “New” button in the Tenants menu.
Once the tenant page is displayed to create the new entity (tenant or partner), if we want to create a tenant, we should select a partner in the Partner field. If we want to create a partner, we have to select a wholesaler in the Wholesaler field (The Partner field will be empty in this case)
These are the fields needed to populate if we want to create a new Partner:
- Name: Name of the new partner
- Code: automatically populated
- Partner: This field must be empty. From version 4.7, the partner field is suppressed when creating a partner.
- Wholesaler: Select the wholesaler in which we want the partner to reside.
- Visible: Check it if you want the partner to be visible for non-admin users
Once the partner is saved and we go back to the tenant's list, we can see how the new partner has been created and also the default tenant for this partner. The tenant’s name will include the name of the Partner within the word “default” concatenated to it. To initialize this partner, we should follow the process described in the “How to initialize a Tenant” section.
This process is very similar to the creation of a new partner. The first thing to do is go to the tenant's list and click on the “New” button.
Once the new tenant/partner page is displayed, based on the info we provided we can have either a new partner or a new tenant.
In case we want to create a new tenant, the following fields should be populated:
- Name: This is the name of the new Tenant
- Code: This field will be populated automatically
- Partner: Select the partner to be associated with this tenant
- Wholesaler: This field must be empty. From version 4.7, the wholesaler field is suppressed when creating a tenant.
- Visible: Check this option if we want the tenant to be visible to the non-admin users
- Once we save the tenant and go back to the tenants' list, we can see how this new tenant has been created. To initialize it, check the “How to initialize a Tenant” section
When a new tenant is created, it will be in Processing status until all the required fields are populated and the tenant initialization is completed. During this process, if the tenant has the right permissions, some entities such as User Groups, Organizational Unit(OU), etc will be created.
The following requirements should be met for the correct initialization of a tenant:
- A domain must have been created in the “Domains” menu (if the domain is going to be used by more than one tenant, the option “Contains multiple tenants” has to be checked in the mentioned domain).
- The VLAN also has to be created in the “VLANs” menu for the corresponding Wholesaler. A fake VLAN should be created in case the environment doesn´t need one.
- In case we don´t have permission to create Groups and OUs, these groups and OUs must be created and initialized manually as explained in the “Tenants Management \ AD Configuration” section.
Once we populate the Domain and the VLAN fields included in the Networking section of the specified Tenant and save it, we can click on the “Deploy and Update tenant infrastructure” button. Then a tenant initialization Job will be generated.
In the Active Directory, this Job will create permissions, VDI OS Manager internal configuration, … and all the items needed for the correct use of the mentioned tenant.
In case we want this tenant to be visible for the non-admin users, we must check the “Visible” option in the Tenant. If we don´t do that, this tenant will only be visible to the administrators.
Once the mentioned Job is completed, the tenant status will change to “Ready”. This means that we can already start working on this tenant and configure some parameters that have been hidden during the tenant’s creation process.
If you have permissions to create groups in the tenant domain, you can see in the “AD Configuration” section, that some fields have been auto-populated with the generated groups and OUs.
For existing tenants, or tenants that have been recently restarted, we can work with the following items:
In general, you will get familiar with these fields:
- Name: This is the name of the Tenant
- Status (non-editable): shows if the tenant is ready to be used (Ready) or if the tenant initialization is still in process (Pending, processing).
- Code (non-editable): This is the code assigned to a particular tenant (three alphanumeric characters).
- Partner (non-editable): This is the name of the partner associated with a given tenant. The “Change partner” and “Open partner” options are available in case you want to change the partner for this tenant or to go to the Partner itself.
- Can Share template: In case this option is checked in a Partner (the Partner’s default tenant), we will be able to share the templates created for this Partner with its tenants. This way we can use the same template in more than one tenant.
- Bill To Partner: In case of automatic billing using VDI OS manager data, if this option is checked, during the Billing process, the Bill will be generated for the Tenant. Otherwise, the bill will be included in the partner’s bill.
- Visible: if checked, means that this tenant is visible for the non-admin users.
- Is Default (non-editable): If it’s checked, it means that this tenant is the default partner.
By clicking on this tab we can see information about the AD Groups and OUs that are used by VDI OS for some automatic tasks.
This configuration will work differently depending on whether the VDI OS manager has permission to create Organizational Units and groups in the active directory or not.
In case it has permissions, these fields will be auto-populated during the tenant initialization. Later on, we will be able to edit these fields.
If VDI OS does not have permissions, we will have to manually populate some mandatory fields to be able to initialize the tenant. There are other fields that we will have to populate only if we want to use some features.
Similarly, there are some fields in which we can leave empty if we are not interested in using certain features. Please, refer to the AD Configuration article for more information.
By default, the visibility of a user is limited by its tenant. This tenant is limited to three different types:
- Tenant-Independent: Usually, these users are platform administrators and have full access. It doesn´t matter what tenant they belong to.
- Wholesaler: These are the default tenants of the default partners. These users have visibility over all the tenants and objects linked to the tenants associated with or located under a specified Wholesaler. This also includes all the partners located under the mentioned Wholesaler.
- Partner: Tenant default (default tenant of the partner). These users have access to all the tenants and objects related to such tenants located under a given Partner. This is the Partner to which they belong. However, they don´t have visibility to tenants located under other partners.
- Tenant: Tenant non default (non-default tenants). These users only have access or visibility on tenants and objects located under the tenant (or partner) they belong to.
You can see and modify a given tenant in the User/Group section as shown below:
In case specific visibility is required for a particular user, you can customize it using the ‘Allowed Tenants’ option.
For example, if we want a user to have visibility to only two tenants located in different partners, by default, we would have to create such a user on the Wholesaler level. However, this is not a good practice as this user would have VISIBILITY on all the tenants located under every partner associated with the mentioned Wholesaler, but Not ONLY on the two tenants on which we originally wanted the mentioned user to have such visibility.
To address this issue, we can click on the ‘Allowed Tenants’ option which can be accessed from:
- Any of the users displayed in the “VDI OS Users and groups” menu option (you have to click on a user)
- The user list located in the tenant “Users” Tab (Just click on any user included in this list)
If there aren´t any users displayed, the default visibility will be applied as described earlier. In case the user belongs to only one tenant (or partner), such a user will ONLY have visibility on the tenants included in that partner.
To add/remove a user from the ‘Allowed tenants’ list, use the “Link” button to add it, and the “Unlink” button to remove it.
To be able to add a tenant, the visible checkbox option must be checked in the tenant.
When it comes to templates, there are three basic ways to add or create a template:
- This option allows us to choose one of the templates that have already been manually created and initialized in the “Desktop template definitions” or in the “Application template definitions” menu options.
- These templates must meet the following requirements:
- They shall have been created following the Citrix guidelines
- They should have the appropriate TAG on the VM Manager level (MasterImage or AppServerTemplate)
- They must have been initialized in VDI Manager (They can be neither in Unavailable nor in Synchronizing status)
- They should belong to the tenant to which you want to import them
- The “Template Active” option in the template must be checked.
.. From OS Image
- This option allows us to create “Desktop template definitions” or “Application template definitions” from scratch. During this process, the entire OS within all the necessary components is installed.
- For more information, please read “How to deploy a new Desktop Template” in https://Help.flexxible.com.
Import Shared template
- Here in the current tenant, we can use templates from other tenants that belong to the same partner (normally the templates are imported from the partner itself).
- To import these templates, the following requirements must be met:
- The tenant and the template’s owner (this is the tenant the template will be imported from) must belong to the same partner
- The “Can share templates” check box option must be checked in the tenant
- The option, “Is Template Shared With Tenants” has to be checked in the template to be imported