I covered multi-tenancy with Rubrik some time ago, but things have certainly advanced since then. One of the useful features of Rubrik CDM (and something that’s really required for Envoy to make sense) is the Organizations feature. This is the way in which you can use a combination of LDAP sources, roles, and tenant workloads to deliver a packaged multi-tenancy feature to organisations either within or external to your company. In this article I’ll run through the basics of setting up an Organization. If you’d like to see how it can be applied in a practical sense, it’s worth checking out my post on deploying Rubrik Envoy.
It starts, as these things often do, by clicking on the gear in the Rubrik CDM UI. Select Organizations (located under Access Management).
Click on Create Organization.
You’ll want to give it a name, and think about whether you want to give your tenant the ability to do per-tenant access control.
You’ll want an Org Admin Role to have particular abilities, and you might like to get fancy and add in some additional roles that will have some other capabilities.
At this point you’ll get to select which users you want in your Organization.
Hopefully you’ve added the tenant’s LDAP source to your environment already.
And it’s worth thinking about what users and / or groups you’ll be using from that LDAP source to populate your Organization’s user list.
You’ll also need to consider which role will be assigned to these users (rather than relying on Global Admins to do things for tenants).
You can then assign particular resources, including VMs, vApps, and so forth.
You can also select what SLA Domains the Organization has access to, as well as Archival locations, and replication targets and sources. This becomes important in a multi-tenanted environment as you don’t want folks putting data where they shouldn’t.
At this point you can download the Rubrik Envoy OVA, deploy it, and connect it to your Organization.
And then you’re done. Well, normally you would be, but I didn’t select a whole lot of objects in this example. Click Finish and you’re on your way.
Assuming you’ve assigned your roles correctly, when your tenant logs in, he or she will only be able to see and control resources that belong to that particular Organization.