By Kevin Lees, Chief Technologist, IT Operations Transformation, and Andrea Siviero, Principal Architect
VMware Cloud on AWS continues to evolve based on customer feedback. One of the areas impacted recently is that of VMware customer, also referred to as “tenant,” permissions. As a result, we’ve updated the roles and responsibilities reflected in the PACSI matrix we originally published late in 2018. The update affects four roles:
- Customer Global Cloud Admin
- Customer Cloud Admin
- NSX Admin
- NSX Auditor
In this short blog, we’ll describe the impact of the affected role in the context of the PACSI matrix. A link to the updated PACSI matrix can be found at the end of the blog.
PACSI
But first, for those of you reading about this VMware Cloud on AWS PACSI matrix for the first time, what is PACSI and why did we use it instead of the more commonly used RACI approach? PACSI is defined as:
- Perform – The person/function carrying out the activity
- Accountable – The person/function ultimately answerable for the correct and thorough completion of the deliverable or task, and often the one who delegates the work to the performer
- Control – The person/function reviewing the result of the activity (other than the accountable). He or she has a right of veto; his or her advice is binding
- Suggest – The person/function consulted to give advice based upon recognized expertise. The advice is non-binding
- Informed – The person/function who must be informed of the result of the activity
As mentioned in our original blog, we decided to use PACSI as it provides a slightly more granular set of responsibilities that better fit the allocation of responsibilities in a managed service such as VMware Cloud.
Customer Global Cloud Admin and Customer Cloud Admin Roles
As a refresher, in the cloud SDDC, VMware performs numerous administration tasks for you. This includes, but is not limited to, managing the lifecycle of the cloud SDDC software stack (deployment, configuration, patching, etc.), configuring the AWS infrastructure, and adding/removing hosts and networks during failure scenarios or cluster-scaling operations. Because the service is doing all of this for you, a Cloud Administrator in the SDDC vCenter requires fewer privileges than an Administrator on an on-premises data center.
- CloudAdmin Role: The CloudAdmin role has the necessary privileges for you to create and manage workloads on your SDDC. However, you cannot access or configure certain management components that are supported and managed by VMware, such as hosts, clusters, and management virtual machines.
- CloudGlobalAdmin Role: The CloudGlobalAdmin role had a subset of the privileges granted to the CloudAdmin role but has be deprecated as of SDDC version 1.7 .
While the CloudGlobalAdmin is still shown in the updated PACSI matrix but is shown as deprecated and all responsibilities previously associated with the CloudGlobalAdmin have been moved to the CloudAdmin role.
This change impacts every section of the PACSI matrix except that for VMware Cloud on AWS to AWS Access Management.
In addition, the CloudAdmin role has added a new Authorization.ModifyRoles privilege. This new privilege means the CloudAdmin role can now create customized roles for vCenter users with much greater granularity as shown in Figure 1, but remember you are still required to add your own external identity source.
For a detailed chart of all of the privileges mapped to the CloudAdmin role you can review the Privileges Reference for CloudAdmin in VMware Docs.
NSX Admin and NSX Auditor Roles
The NSX Admin and NSX Auditor roles apply if when your VMware Cloud on AWS instance is based on NSX-T. The NSX Admin can view and configure feature under the Network & Security tab wherein they can perform all tasks related to deployment and administration of the NSX service. As one would expect, the NSX Auditor role, on the other hand, is much more restricted. The NSX Auditor role can view NSX service settings and events but cannot make any changes to the service.
These two roles are applicable to the Network Management, Security Management, and On-premise to VMware Cloud AWS Connectivity Management sections of the VMware Cloud on AWS PACSI matrix as shown in Figure 2, Figure 3, and Figure 4 respectively.
In Closing
While differences with on-premise operational activities do exist, the consensus among those who are managing SDDC environments on VMware Cloud is that the biggest challenge is making the mindset shift to work within the constraints that exist when managing with vCenter. Once that mindset shift is accomplished, they find managing SDDC environments on VMware Cloud and working with the VMware team managing the underlying environment extremely easy and seamless. Once they do, IT can fully leverage capabilities provided by their on-premise VMware SDDC to VMware Cloud integrated hybrid cloud and realize the benefits of having a common operating environment.
You can download the full VMware Cloud on AWS PACSI matrix here.
About the Authors
Kevin Lees is the field Chief Technologist for IT Operations Transformation at VMware. His focus is on how customers optimize the way they operate VMware-supported environments and solutions. Kevin serves as an advisor to global customer senior executives for their IT operations transformation initiatives. He also leads the IT Transformation activities in VMware’s Global Field Office of the CTO. He is the author of the books Operationalizing VMware NSX and Operationalizing VMware vSAN which can be downloaded from vmware.com here and here respectively.
Andrea Siviero, Principal Architect on the Professional Services Engineering and Remote Delivery (PS ERD) team, is a 13-year veteran of VMware. He is responsible for driving the roadmap and execution of professional services for Hybrid Cloud solutions, as well as transforming the way VMware defines, creates and offers professional services. He also recently joined the Office of the CTO to drive activities related to Artificial Intelligence and Machine Learning.
