This is part two in a four-part series that walks through a scenario in which the modern IT department in the medium and large enterprise treats internal business units as tenants (or customers) of a central IT department. There are four high-level steps to deliver this scenario using Microsoft System Center 2012 Service Pack 1 and Windows Server 2012. These are the four posts in the series (with the last two to come):

  • Building the private cloud: Prepare the fabric in System Center VMM
  • Build private cloud capacity and assign to cloud tenants using SCVMM
  • Consume cloud resources (as tenant) using System Center App Controller
  • Provide self-service cloud resources (as service provider) using Service Provider Foundation (SPF) and Windows Azure Services for Windows Server (WASWS)

Build private cloud capacity and assign to cloud tenants using SCVMM

In this second post in the series, we will cover building capacity into private clouds using the service provider’s data center fabric, and then assigning permission to a tenant to deploy a virtual machine into the private cloud(s). We are going to focus on the delegated capacity aspect of the scenario. The first thing you need to do is define the private cloud as a discrete administrative unit.

Build private cloud capacity: Define resources and assign quotas

A private cloud is an administrative object that is a single point of reference for delegation, access, and charge-back. Each cloud you create must have at least one SCVMM host group (or VMware Resource Pool) assigned. Optionally, configure networking, load balancer, storage, and library settings for the cloud. In defining a private cloud, you are creating a model of possible future capacity use by a tenant. In other words, you are pre-defining the scale and configuration of a service offering.

Figure A is a Microsoft chart listing sample resources used to assemble a private cloud. Of course the Storage classification should represent a pool of storage devices that can dynamically deliver capacity as it is purchased. A key setting to consider is the Stored virtual machine path. This unique library path and corresponding physical storage must be ready for access by the tenant in case they want to store virtual machines.

Figure A

Summary of resources used to assemble a private cloud.

Assigning quotas to private clouds is critical for the service provider. Quotas must be selected that account for the total population of tenants and services they are empowered to create. Quotas are a safety device that makes sure:

  • Capacity is available (within quotas!) for any tenant when they request it.
  • Inadvertent “out of control” consumption is prevented.
  • Too many tenants can’t request so many resources at once that they overwhelm the data center fabric.

Figure B shows the Overview page of a private cloud with 2 virtual machines. Notice the usage and quotas summaries for processor cores (10), memory (10-GB), and storage (1-TB) in the upper portion; and in the lower portion, quota usage by individual user roles assigned to the cloud is listed.

Figure B

After creating a private cloud, the Overview page in the SCVMM console summaries quota use.

Assign capacity to tenant: Create and customize user roles

After defining the cloud capacity to be delegated to a tenant, the next step is to create user roles and assign them to cloud(s). Access to cloud resources is role-based, with SCVMM being able to create three kinds of administrator roles and a self-service user role. These are in addition to the service provider admin that has access to all fabric resources–to make a user a full SCVMM administrator, add them to the pre-defined Administrator user role.

  • There is the concept of the Delegated Fabric Administrator and the Read-Only Administrator, both of which can be scoped to SCVMM host groups or private clouds. This administrative layer between the fabric owner (the service provider) and the consumer may or may not exist depending on the service provider’s organization and the nature of the offering.
  • The consumer roles, the Tenant Administrator and the Self-Service User, are allowed to create services in private clouds (but not in host groups that are not part of private clouds). The self-service user is kept in a scalable sandbox that is quota-limited. The Tenant Administrator can set quota for self-service users within the private cloud(s) they have access to.

Microsoft’s “CloudOS” roadmap is about empowering the self-service role as an instrument of a business unit leader for agile, “get just what you need”, and “pay just for what you use” services. Charge-back is a key business efficiency of CloudOS–the self-service user is empowered to drive up or down the cost of their IT expenses based on a metric they are in control of.

Custom user roles

Custom roles can be configured after creating a user role. When you create a user role, you can only select from one of the three administrator types, or the self-service user type. Then you can open the user role in the SCVMM console and get more granular on actions that are allowed for that user role. Figure C shows the permitted actions for an existing user role.

Figure C

Custom user roles are possible by modifying the permitted actions for an existing user rule.

Notice the Share and Receive permissions that can be selected in Figure C. These allow members of a user role to grant resources that they own to other Self-Service User roles. A self-service user must be the owner of a resource to share it. The Self-Service User role that receives the shared resource must be assigned the Receive action.
More Information

For full details on the steps covered in this article, consult these links at Microsoft:

Create Private Cloud:

Create User Roles: