using vmware cloud provider hub as a service provider ......vmware saas production support is...

Using VMware Cloud Provider Hub as a Service Provider

VMware Cloud Provider Hub

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

[email protected]

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

Copyright © 2020 VMware, Inc. All rights reserved. Copyright and trademark information.


VMware, Inc. 2

https://docs.vmware.com/

mailto:[email protected]

http://pubs.vmware.com/copyright-trademark.html

Contents

1 What is VMware Cloud Provider Hub and what does it do 5

2 Roles and permissions in Cloud Provider Hub 6Roles inheritance from Managed Services Platform 7

3 How do I work with organizations 9How do I change the details of an organization 10

4 How do I manage user roles in my master organization 11

5 How do I manage tenants as a Service Provider 13How do I create a tenant organization 13

How do I provision services for a tenant 14

How do I manage service access for a tenant organization 15

How do I view the usage of an organization 16

How do I remove a tenant organization 17

How do I manage support for my tenants 18

How do I create a support request on behalf of a tenant 20

How do I contact VMware technical support through the chat functionality 21

How do I view the VMware Cloud on AWS SDDC maintenance schedule of my tenants 22

6 How do I manage tenants as a tenant administrator 23How do I manage user roles in tenant organizations 23

How do I view the usage of my tenant organization 24

7 How do I manage add-on services 26

8 How do I test services in trial mode 27

9 How do I edit my user profile 28

10 How do I generate API tokens 29

11 How do I set up federated identity management for my tenants 31How do I manage enterprise groups 32

How do I onboard new tenants to their federated organization as a Service Provider 33

How do I onboard existing tenants to their newly federated organization as a Service Provider 34

How do I onboard tenant users to a newly federated tenant organization as a Tenant Administrator 35

VMware, Inc. 3

How do I link my VMware ID 36

12 How do I secure my account using multi-factor authentication 37What two-factor authentication application can I use 38

13 How do I manage additional master organizations as a Service Provider 39How do I add additional master organizations to my master organization 40

How do I onboard Provider Administrator users to an additional master organization 40

How do I edit the details of additional master organizations 41


VMware, Inc. 4

What is VMware Cloud Provider Hub and what does it do 1As a Service Provider, VMware Cloud Provider Hub is your central point for provisioning and managing VMware Cloud services for your customer tenant organizations. On top of managing service access, you also use Cloud Provider Hub to manage the billing and support for your tenants.

You access Cloud Provider Hub once you have onboarded your master organization. Then you have at your disposal all supported VMware Cloud services for which you have signed commit contracts in the VMware Cloud Provider Commerce Portal. You sign a commit contract for every cloud service in your organization.

For each customer of yours, you create a tenant organization, provision VMware Cloud services to their organization, and assign role-based access to each provisioned service. Since VMware Cloud services exist within an organization, you can impose varying degrees of access to these services per tenant organization.

To provision and manage VMware Cloud services for your tenants, you impersonate as a tenant and access their tenant organizations. When you select a specific tenant organization and choose to manage services for that tenant, you are redirected to the tenant portal of that organization. There you have various tenant management capabilities.

In Cloud Provider Hub, you also view the billing information for your master organization usage and the billing invoices for tenant organizations that you manage.

As a Service Provider, you are the first line of support for tenant organizations that you manage. Through the Support Center, you can either search for a resolution in the VMware documentation center or create a support request on behalf of your tenants.

VMware, Inc. 5

Roles and permissions in Cloud Provider Hub 2As an organization owner, you invite users to your organization and give them role-based access to the organization's resources.

Roles are collections of permissions that bind to the organization's resources. Permissions are actions on a certain organization. The association between a role, a user, and organization is defined as a binding.

In Cloud Provider Hub, organization roles are hierarchical. For example, if you are assigned the Provider Administrator role in your master organization, you keep this role in all tenant organizations managed by your master organization.

When you provide access to one or more of the VMware Cloud services of the organization, you grant users access to the cloud service according to the roles each cloud service provides. For information about specific service roles, refer to the documentation of the relevant VMware Cloud service.

The following tables list the actions each role performs in master and tenant organizations.

Table 2-1. Roles available for service provider's users.

Actions you can perform with the role

Provider Administrator role

Provider Operations Administrator role

Provider Billing User role

Provider Support User role

Provider Account Administrator role

Create and edit service provider's users and their roles.

Create and edit tenant's users and their roles.

Create and edit tenant organizations.

Provision services for tenants.

Grant access for a service to a tenant.

View aggregated and individual tenant usage, and billing.

VMware, Inc. 6

Table 2-1. Roles available for service provider's users. (continued)

Actions you can perform with the role

Provider Administrator role

Provider Operations Administrator role

Provider Billing User role

Provider Support User role

Provider Account Administrator role

View, create, edit, and delete support tickets for service provider organizations and tenant organizations.

View and manage operations, services, billing, and support for specific tenants.

Note The Provider Account Administrator role allows managing only the tenants that the user has permissions to access. If you combine this role with the Provider Administrator role, that has unrestricted access, the user cannot access all tenants in the organization, but only tenants that are accessible as a result of being Provider Account Administrator.

Table 2-2. Roles available for tenant's users.

Actions that you can perform with the role

Tenant Administrator role Tenant User role

Tenant Billing User role

Create and edit tenant's users and their roles.

Grant access for a service to the tenant's user.

Use the services to which you already have access granted by the Tenant Admin.

View the usage of provisioned services.

This chapter includes the following topics:

n Roles inheritance from Managed Services Platform

Roles inheritance from Managed Services PlatformCloud Provider Hub grants the same organization-based and service-based access roles as the roles in Managed Services Platform 1.x. Some Managed Services Platform 1.x roles must be combined to match the access that a single role grants in the Cloud Provider Hub.

The following tables list the VMware Cloud Provider Hub 2.0 roles with their counterparts in the Managed Services Platform 1.x.

Table 2-3. Roles on Master Organization Level

VMware Cloud Provider Hub 2.0 Managed Services Platform 1.x

Provider Administrator org_owner

Provider Administrator org_owner with msp_user

Provider Operations Administrator org_member


VMware, Inc. 7

Table 2-3. Roles on Master Organization Level (continued)


Provider Operations Admininistrator org_member with msp_user

Provider Operations Admininistrator org_member with msp_user and support_user

Support Admininistrator org_member with support_user

Table 2-4. Roles on Tenant Organization Level


Tenant Administrator org_owner

Tenant Billing org_member with msp_user

Tenant User org_member

Tenant User org_member with support_user

Tenant Billing org_member with msp_user and support_user


VMware, Inc. 8

How do I work with organizations 3VMware Cloud Provider Hub uses organizations to provide controlled access to one or more services. You must belong to an organization before you can access a cloud service.

In this document, service provider organizations are called master organizations, and their customer organizations are called tenant organizations.

If you are a Service Provider with the applicable role, you have access to all the resources of your master organization. You add cloud services to your organization, invite new users, and manage the organization's payment methods and the organization's user accounts and roles.

To see the permissions assigned to each role within master and tenant organizations, see Chapter 2 Roles and permissions in Cloud Provider Hub.

What is my active organization?Your active organization is the one displayed under your user name on the menu bar when you sign in to

Cloud Provider Hub. The master organization managing the active organization is labeled with icon.

If you belong to more than one organization, you can switch from the active organization to another of your organizations at any given time. To do so, click your user name and select the organization from the Change Organization drop-down menu. Using the Set Default Organization option, you can set a default organization to which you sign in by default.

What is an organization ID?Each organization has a unique ID. You might need to use this ID when interacting with external command-line interfaces. You can view the organization ID by clicking your user name. A shortened version of the ID is displayed under the organization name. To display the full organization ID, click the ID.


n How do I change the details of an organization

VMware, Inc. 9

How do I change the details of an organizationAs a Provider Administrator or Tenant Administrator, you can edit the name, country, zip/postal code, and tag details of an organization.

Prerequisites

Verify that you are assigned the Provider Administrator or Tenant Administrator role.

Procedure

1 Click your user name and select View Organization.

You are redirected to the Details page.

2 Click the pencil button located next to every field, make your changes, and click Save.

Results

The new organization details that you entered are immediately updated.


VMware, Inc. 10

How do I manage user roles in my master organization 4As a Service Provider, you add users to your organization and manage their role-based access to the organization's resources.

Prerequisites

Verify that you are assigned the Provider Administrator role.

Procedure

1 In the Cloud Provider Hub portal, click Identity & Access Management.

2 Click Add User.

3 In the Email Addresses text box, enter the email address of the user you want to add to your organization.

You can add more than one user at a time.

4 From Role in organization, select the organizational role of the user.

When you select the Provider Account Administrator role, you can assign one or more tenant organizations from the Select Tenant Org drop-down menu, in which the user will have administrator privileges.

5 Click Add.

Results

If a user has VMware ID set up with their email, they are immediately added to your organization and appear in the Active Users tab.

If a user does not have VMware ID set up with their email, they receive an invitation to create a VMware ID and join your organization. You can view the status of current invitations in the Pending Invitations tab, from where you can also revoke invitations sent by mistake, or resend expired invitations. Invitations expire after seven days.

What to do next

n You can modify user roles through the Edit Roles option.

VMware, Inc. 11

n You can permanently remove users from your organization through the Remove Users option.

Note Do not add users through the SDDC page of VMware Cloud on AWS. Users you add that way cannot access Cloud Provider Hub and cannot be managed within the Cloud Provider Hub UI.


VMware, Inc. 12

How do I manage tenants as a Service Provider 5You manage your customer organizations by creating a tenant organization for them, modifying the tenant's information, and providing service access to the tenant.


n How do I create a tenant organization

n How do I provision services for a tenant

n How do I manage service access for a tenant organization

n How do I view the usage of an organization

n How do I remove a tenant organization

n How do I manage support for my tenants

n How do I view the VMware Cloud on AWS SDDC maintenance schedule of my tenants

How do I create a tenant organizationAs a Service Provider, you add tenant organizations to your master organization. A tenant organization holds the usage and data for end customers that are managed within that master organization.

Prerequisites

n You are onboarded successfully with your master organization.

n You have the Provider Administrator role within the master organization.

Procedure

1 In the Cloud Provider Hub portal, click Tenant Management.

2 Click Add Tenant.

3 Enter the details for the new tenant organization, and click Add.

Entering an email address for the Admin Contact is optional. You specify an Admin Contact if you want the newly created tenant to access the Cloud Provider Hub tenant portal. The user you enter for the Admin Contact receives the Tenant Administrator role for this tenant organization.

The new tenant appears in the list of existing tenants.

VMware, Inc. 13

4 Acknowledge the addition of this tenant organization.

The tenant receives a notification mail.

Results

By default, no services are available for the newly created tenant.

All Provider Administrator and Provider Operations Administrator users from your master organization are granted administrator privileges within the tenant organization.

What to do next

Proceed with provisioning services to the tenant.

How do I provision services for a tenantYou provision services for a tenant through the tenant portal of the tenant organization.

Prerequisites

n You have at least one active VMware Cloud service in your master organization.

n There is at least one tenant organization managed by your master organization.

n You have the Provider Administrator, Provider Operations Administrator, or Provider Account Administrator role with privileges for managing a specific tenant organization.

n If the service you provision is VMware Cloud on AWS, make sure that your tenant has an existing account number with Amazon Web Services.

Procedure


2 Select a tenant organization and click Manage Services.

3 From the pop-up window, click Continue to navigate to the tenant organization.

You are redirected to the tenant portal where you see the all services available for provisioning.

4 Click Open on the service that you want to provision.

The Open Service pop-up window appears.

5 To confirm the activation of the service, click Open.

All existing users with Provider Administrator, Provider Operations Administrator, and Provider Account Administrator role are granted administrator privileges for this tenant organization, and the provisioned service.


VMware, Inc. 14

Results

The VMware Cloud service is activated for the tenant organization, visible under Services Provisioned for You on the Services tab of the tenant portal. By default, the tenant has no access to the service until you set the level of access you want to grant them.

Note Add-on services enabled through VMware Cloud on AWS are available in Cloud Provider Hub but they retain the commit discounts of the VMware Cloud on AWS commit contract. If you sign a separate commit contract for the add-on service, you can still get service-specific commit discounting.

What to do next

Proceed with setting the tenant organization's level of access to the service and configuring the service for the tenant.

How do I manage service access for a tenant organizationYou modify the service access of tenant organizations after you provisioned a service for them.

When you activate a service for a tenant, all Service Provider users with administrative roles are granted administrator privileges within the tenant organization with the capability to manage the tenant organization's level of access to the service.

Prerequisites

The service to which you want to modify access is already provisioned for the tenant organization, visible under Services Provisioned for You on the Services tab of the tenant portal.

Procedure


2 Select a tenant organization and click Manage Services.

3 From the pop-up window, click Continue to navigate to the tenant organization.

You are redirected to the tenant portal where you see the all services available for provisioning.

4 On the service tile of the service you want to manage, click Manage Tenant Access.

5 Select the type of service access you want to grant the tenant.

Option Description

No Access for the Tenant Does not provide users access to the service.

Grant vSphere Access Only grants vCenter Server access.

Note This option is present only when the VMware Cloud on AWS service is active for the tenant organization. You are in full charge of managing VMware Cloud on AWS for your tenants.

Grant Service Access with the following Service RolesAssigns service-specific roles to the tenant. Refer to the documentation of the relevant cloud service for more information about the service roles they provide.


VMware, Inc. 15

6 To save the changes, click Confirm.

Results

The tenant organization is granted the level of access that you selected. All Tenanat Administrator users are granted the organization-level service access that you set. The service roles assigned to tenant users appear on the Identity & Access Management tab of the tenant portal.

What to do next

n You can modify the organization roles and the service roles for a specific tenant user.

n You can view a tenant's usage of a service for a selected period.

How do I view the usage of an organizationAs a Service Provider with the applicable role, you can view the usage of your master organization and all tenant organizations managed by you.

The Cloud Provider Hub Service Provider portal allows you to access a record of the consumed cloud services by the tenant organizations in your master organization. The usage report collects services usage data from current and previous months. Monthly usage of previous months generates on the fifth day of the next month, and current monthly usage is available from the first day of every month.

Note At this time, current monthly usage is displayed only for VMware Cloud on AWS host, Elastic vSAN, and EBS usage.

Prerequisites

n You have the Provider Administrator, Provider Operations Administrator, or Provider Billing User role. If you have the Provider Account Administrator role you can view the usage only of the tenant organizations to which you are assigned.

Procedure

1 In the Cloud Provider Hub portal, click Usage.

2 Select the Overview tab and choose a tenant organization from the drop-down menu.

3 Specify the billing period and click View.

Results

The usage report appears in the report table with an option to download it in CSV format.

Table 5-1. Usage Report Details

Report Column Description

Service Name of the service.

Product Family Product Family identifier.

SKU Name Unique identifier for each SKU. Different for every service and data center.


VMware, Inc. 16

Table 5-1. Usage Report Details (continued)


Customer Segment Indicates the customer segment of the service.

Data Center Identifier for the region where a service or host is used or deployed.

Cross-Ref-SKU Cross-reference identifier.

Description Description of the service.

Price Billed price.

Usage Total usage.

Effective Usage Billed usage.

What to do next

n You can filter reports by searching for a string using the filter button in each column of the report table.

n You can view your payment method details.

How do I remove a tenant organizationIf you no longer have to manage a tenant organization, you can remove it from your list of tenants.

Make sure that the tenant organization you are removing has no active subscriptions. You cannot deactivate tenants with active SDDCs.

Prerequisites

You have the Provider Administrator or Provider Operations Administrator role within your master organization.

Procedure

1 Click Tenant Management.

2 Select the organization you want to remove, and click Remove Tenant.

A pop-up window appears, prompting you to confirm the operation.

3 Click Confirm.

Results

The tenant organization is removed from the list of tenants, and all users part of the organization can no longer access it.

What to do next

Repeat these steps for all tenant organizations you want to remove.


VMware, Inc. 17

How do I manage support for my tenantsIn the Managed Service Provider (MSP) program, you own the Terms of Service and support for your end customers. While VMware’s support teams are available for technical support escalations, your end customer would never contact VMware directly, and you can choose whether to use the VMware brand in your customer interactions. In this way, you can seamlessly extend your service offerings while the customers work exclusively with you.

While VMware provides technical assistance escalations during and after deployment, you provide support and deliver managed services for your end customers.

End Customer

Support

Managed ServiceProvider (MSP)

Support

Business & Operations Technical & Non-Technical

VMware Cloud Provider MSP Operations1. [email protected] 2. Commerce Portal support request

• Eligibility & certifications• Presale partner setup• Contract setup and access• Commerce portal• Invitation and onboarding

VMware Global Support Services (GSS)Cloud Provider Hub support request or chatRaise GSS support request

• Production Support • Technical and Product support• Post sales tech support• Subscription creation • Order and provisioning status • Billing and usage

Business and Operations supportFor support for any non-technical issues, please contact the VMware Cloud Provider MSP Operations team at [email protected].

These might include questions regarding the MSP program, partner requirements and eligibility criteria, certification, contract setup, access to the ordering tool and VMware Cloud Provider Commerce Portal.


VMware, Inc. 18

mailto:[email protected]

Technical and non-technical product supportFor technical and product support in Cloud Provider Hub, partners have two options to contact VMware’s Global Support Services (GSS):

n Open a support ticket through the Support Center menu of Cloud Provider Hub. See How do I create a support request on behalf of a tenant.

n Contact VMware technical support through the chat functionality available in console. See How do I contact VMware technical support through the chat functionality.

Service supportTechnical support for services is offered through VMware’s Software-as-a-Service (SaaS) Production Support.

VMware SaaS Production Support is designed with your access to SaaS products in mind. Our global support centers work around the clock to ensure that you have access to the product from your web browser anywhere and at all times. VMware handles software deployment and maintenance, allowing you to focus on running your business.

n Global, 24/7 support for Severity 1 issues

n Fast response times for critical issues

n Unlimited number of support requests

n Online access to documentation and technical resources, knowledge base, discussion forums

n SaaS updates

To contact GSS Support, visit https://www.vmware.com/support/contacts.html.

Additional information about our support policies and offerings can be found in our Technical Support Welcome Guide.

Support roles and responsibilitiesAs a participating partner, you own the terms of service (ToS) with your customers and must include support and managed services on top of the cloud products purchased from VMware.

Partner support responsibilitiesPartner is responsible for all End User support, which includes but is not limited to End User communication, any managed services provided by Partner, and End User education questions related to the different components of the Subscription Services offering.

Partner is responsible for:

n Answering installation, configuration, and usage questions.

n Problem isolation and identification.

n Determination if the problem is documented in VMware publications for known problem resolutions.


VMware, Inc. 19

https://www.vmware.com/support/contacts.html

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/tech-support-welcome-guide.pdf

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/tech-support-welcome-guide.pdf

n Attempting to recreate a customer’s problem and providing an acceptable resolution or workaround.

VMware support responsibilitiesVMware will provide support for the Partner as it relates to the Subscription Services platform and any design engineering knowledge related to the platform or VMware Software to isolate a problem with the Platform or Software and effect a resolution.

Any escalated issues that are determined to be caused by a piece of the infrastructure under Partner’s area of responsibility will be escalated back to Partner through an agreed process.

Authorized technical contactsYour authorized technical contacts must be knowledgeable about the VMware SaaS offering and your technical environment to work with VMware to analyze and resolve support requests. They are responsible for engaging VMware technical support and monitoring the resolution of all support requests and escalated support issues.

You are required to establish and maintain processes as necessary to manage first-line support for users of the SaaS offerings within your organization. If after reasonable efforts you are unable to diagnose or resolve the error(s), your authorized technical contact(s) can contact VMware for technical support through phone or web and assign the correct severity.

Response timesVMware is committed to rapid response of all support requests. All Severities can be logged with VMware on a 24 hours per day, 7 days per week, 365 days per year basis through phone or web. All support requests can be tracked online by the authorized technical contact who opened the support request. VMware does not guarantee resolution times, and a resolution might consist of a fix, workaround, service availability, or other solution VMware deems reasonable.

For SaaS Support target response times and severity definitions, visit https://www.vmware.com/support/policies/saas-support.html.

How do I create a support request on behalf of a tenantAs a Service Provider with the applicable role, you are responsible for all tenant organizations support. You create support requests from the Support Center menu and issue them directly to VMware.

You can open and manage support tickets for all organizations, independently of which organization you are currently in. You issue your support requests to VMware.

Prerequisites

n You have the Provider Administrator, Provider Operations Administrator, or Provider Support User role. As a Provider Account Administrator user, you can also create requests but only for the tenant organizations to which you are assigned.

Procedure

1 In the Cloud Provider Hub portal, select Support Center.


VMware, Inc. 20

https://www.vmware.com/support/policies/saas-support.html

https://www.vmware.com/support/policies/saas-support.html

2 Search the knowledgebase by entering keywords, or selecting from the predefined ones.

3 If you cannot find an answer to your question, click Create Support Request.

4 Fill in the form with the required information. You must provide a description of the issue, severity of the issue, contact information, time zone, and select a Category for the issue.

Important It is crucial that you select the right Category for the issue:

n For technical issues with any of the provisioned services, select the affected service.

n For other Cloud Provider Hub related issues, select the corresponding category of the issue - Billing and Usage, Service Management, or User Management.

n For non-technical Cloud Provider Hub related issues, select VMware Cloud Provider Hub.

5 Click Submit.

Results

The support ticket appears in the Support Requests table.

What to do next

You can filter your submitted support requests by:

n Using the drop-down menu to view only the open requests, all requests, the open requests from your organization, or all requests from your organization.

n Entering strings in the Org and Provider Internal Ticket ID column headers of the Support Requests table.

How do I contact VMware technical support through the chat functionalityFor technical and product support, you can contact VMware technical support through the chat functionality in Cloud Provider Hub.

Prerequisites

You have the Provider Administrator, Provider Operations Administrator, or Provider Support User role within your master organization.

Procedure

1 To open the help panel, click the button on the Cloud Provider Hub toolbar.

2 To start chatting with VMware technical support, click Chat with VMware Support at the bottom of the help panel.

Results

You have successfully contacted VMware technical support through the chat functionality in Cloud Provider Hub.


VMware, Inc. 21

How do I view the VMware Cloud on AWS SDDC maintenance schedule of my tenantsYou can view the VMware Cloud on AWS SDDC maintenance schedule of your tenants from your master organization.

Viewing the SDDC maintenance schedule of your tenants can help you stay informed and raise concerns if patching overlaps with business critical activities.

Prerequisites

You have the Provider Administrator or Provider Operations Administrator role within your master organization.

Procedure

1 On the Cloud Provider Hub toolbar, click Administration.

2 To view the maintenance activities table, click Maintenance Activities.

3 (Optional) Filter displayed patches using the filter buttons located inside the table's column headers.

4 (Optional) To hide completed patches from the table, select the Hide Completed Events check box.

5 (Optional) To view more details about a specific patch, click a link in the Patch Description column of the table.

You are redirected to the VMware Cloud on AWS maintenance page.

Results

You view the VMware Cloud on AWS SDDC maintenance activities of your tenants.

The Maintenance Activities table shows a record of the maintenance events in the past two months. Patches older than two months are deleted from the table.


VMware, Inc. 22

How do I manage tenants as a tenant administrator 6As a Tenant Administrator you have the highest level of permission in your tenant organization. You can add new users and manage their service and organization roles. You and users with the Tenant Billing User role can also view the consumed usage of your organization.


n How do I manage user roles in tenant organizations

n How do I view the usage of my tenant organization

How do I manage user roles in tenant organizationsAs a Tenant Administrator or a Service Provider with an applicable role, you add tenant users to a tenant organization and manage their role-based access to the organization's services and resources.

Prerequisites

You have the Provider Administrator, Provider Operations Administrator, or Tenant Administrator role. As a Provider Account Administrator you can also manage tenant users but only in the tenant organizations to which you are assigned.

Procedure

1 In the Cloud Provider Hub portal, click Identity & Access Management.

2 Click Add User.

3 In the Email Addresses text box, enter the email address of the user you want to add to your organization.

You can add more than one user at a time.

4 From the Role in organization drop-down, select the organization role of the user.

5 If you are assigning the Tenant User or Tenant Billing User, select Add Service Access.

Users with the Tenant Administrator role are automatically granted the organization's level of access to provisioned services.

6 The first service that appears in your list of services is selected. To change the service, click the downward arrow next to the service name, and scroll the list of services in the organization.

7 From the Roles in service drop-down menu, select the service role of the tenant user.

VMware, Inc. 23

8 Click Add.

Results

If a user has VMware ID set up with their email, they are immediately added to the organization and appear in the Active Users tab.

If a user does not have VMware ID set up with their email address, they receive an invitation to create a VMware ID and join the organization. You can view the status of current invitations in the Pending Invitations tab, from where you can also revoke invitations sent by mistake, or resend expired invitations. Invitations expire after seven days.

What to do next

n You can modify user roles through the Edit Roles option.

n You can permanently remove users from your organization through the Remove Users option.

Note Do not add users through the SDDC page of VMware Cloud on AWS. Users you add that way cannot access Cloud Provider Hub and cannot be managed within the Cloud Provider Hub UI.

How do I view the usage of my tenant organizationAs a Tenant Administrator or Tenant Billing User, you view the consumed service usage of your tenant organization from the Usage menu of the Cloud Provider Hub tenant portal.

You can access a record of the consumed cloud services by your tenant organization. The usage report collects services usage data from current and previous months. Monthly usage of previous months generates on the fifth day of the next month, and current monthly usage is available from the first day of every month.

Note At this time, current monthly usage is displayed only for VMware Cloud on AWS host, Elastic vSAN, and EBS usage.

Prerequisites

n You have the Tenant Administrator or Tenant Billing User role.

Procedure

1 In the Cloud Provider Hub portal, click Usage.

2 From the drop-down menus, select a usage period.

3 Click View.

Results

The usage report appears in the report table with an option to download it in CSV format.


VMware, Inc. 24

Table 6-1. Usage Report Details


Service Name of the service.

Product Family Product Family identifier.

SKU Name Unique identifier for each SKU. Different for every service and data center.

Customer Segment Indicates the customer segment of the service.

Data Center Identifier for the region where a service or host is used or deployed.

Cross-Ref-SKU Cross-reference identifier.

Description Description of the service.

Price Billed price.

Usage Total usage.

Effective Usage Billed usage.

n You can filter reports by searching for a string using the filter button in each column of the report table.

n You can view your payment method details.


VMware, Inc. 25

How do I manage add-on services 7You can provide and manage add-on services offered by other services. You can either provide them for your tenants, or you can use them in your master organization. You manage add-on services individually, like you manage other services.

How do I provision add-on services for my tenants?When you provision a service that offers add-on services, all add-on services also become available in the Cloud Provider Hub tenant portal, under Services Provisioned for You. Then, you manage How do I manage service access for a tenant organization and How do I manage user roles in tenant organizations to the add-on services individually, as you do for the rest of the services. All Tenant Administrator users inherit the tenant-level service roles granted to their organization for a given add-on service.

How do I use add-on services in my master organization?When you sign a commit contract for a service that offers add-on services, all add-on services are also made available to your master organization, under Services Provisioned for You.

How is add-on service usage calculated and reported?Depending on the type of add-on services, usage is calculated in one of three ways.

If... Then...

Add-on services are in trial or free Usage is not reported or shown.

Add-on services are upgraded to paid tier Usage is calculated against the commit contract of the service which offers the add-on service.

Separate commit contracts are signed for the add-on services Usage is calculated against the add-on service commit contract.

VMware, Inc. 26

How do I test services in trial mode 8You can test some VMware Cloud services for a trial period without signing a commit contract for them and without being billed for the usage in their trial period. You can only use trial services in your master organization.

How do I enable a service in trial mode?In the Services tab of the Cloud Provider Hub portal, you see some services under Services Available for Provisioning for which you have not signed a commit contract. Clicking Open on one of these services, you have the option to enable that service for a trial period in your master organization.

By enabling a service in trial mode, you have full access to the functionalities of that service but you are not billed against the usage in its trial period.

If you want to continue using a service once the trial period ends, you have to sign a commit contract for it in VMware Cloud Provider Commerce Portal.

Can I provision trial services for my tenants?No, you can only use trial services in your master organization. To start provisioning a service for your tenants, you have to sign a commit contract for it.

Which services can I test in trial mode?As of now, you can only enable trial mode for the services that are part of the VMware vRealize Automation Cloud bundle - VMware Cloud Assembly, VMware Service Broker, and VMware Code Stream.

VMware, Inc. 27

How do I edit my user profile 9You can change your user profile information from Cloud Provider Hub or by logging in to your My VMware account at https://my.vmware.com. When you modify your details in the Cloud Provider Hub portal, the changes that you make are saved to your My VMware account, and vice versa.

Procedure

1 In the Cloud Provider Hub portal, click your user name and click My Account.

2 On the Profile page, make your changes, and click Save.

Results

Your My VMware account information is updated.

VMware, Inc. 28

https://my.vmware.com

How do I generate API tokens 10You use API tokens to authenticate yourself when you make authorized API connections. Previously called an OAuth Refresh token, an API token authorizes access per organization.

You can generate more than one API token. A token is valid for a set period that you configure. You must then regenerate the token if you want to continue using APIs that rely on it. If you think that a token has been compromised, you can revoke the token to prevent unauthorized access. You can generate a new token to renew authorization.

API tokens are scoped within individual organizations. To manage a tenant organization using the API, you have to generate an API token within that organization.

Procedure

1 On the VMware Cloud Provider Hub toolbar, click your user name and select My Account > API Tokens.

2 Click Generate Token.

3 Enter a name for the token, select the expiration period, and click Generate.

A Token Generated pop-up window appears. You can copy, download, and print the token.

4 Click Continue.

After you click Continue you can no longer retrieve this token, so store it somewhere safe where you can access it.

Example: Using an API token to interact with VMware Cloud Provider Hub APIsTo use VMware Cloud Provider Hub APIs, you must exchange the generated token for an authentication token.

1 Generate an API token.

2 Exchange the API token for an authentication token by performing a POST request to /cphub/api/auth/v1/authn/accesstoken with "refreshToken" : "your_api_token" in the body of the request.

You must set the Content-Type header of this POST request to application/json.

3 Use the received authentication token in the csp-auth-token header in your script's HTTP calls.

VMware, Inc. 29

For information about using VMware Cloud Provider Hub APIs, refer to the VMware Cloud Provider Hub API Programming Guide.

What to do next

You can revoke a specific token by clicking the Revoke button of that token, or revoke all tokens by clicking the Revoke All Tokens button.


VMware, Inc. 30

How do I set up federated identity management for my tenants 11You can set up a federated identity for the corporate domains of tenant organizations that you manage. Federated tenants can use their organization's' single sign-on and identity source to sign in to VMware Cloud Provider Hub. Federated tenants can also set group permissions to the organization and its services by assigning organization and service roles to enterprise groups.

How do I set up federation for my tenants?To set up federation for your tenant's corporate domain, you file a support ticket, indicating that a tenant of yours wants to be federated. The customer success team works with you and the contact from the tenant organization you provided to federate the corporate domain of the tenant. If you are a tenant and want to federate your corporate domain, contact your service provider.

What's involved in setting up a federated identity?As a tenant, you set up federated identity with the VMware Identity Manager service and the VMware Identity Manager connector, which we provide at no additional charge.

1 Download the VMware Identity Manager connector and configure it for user attributes and group sync from your corporate identity store. Note that your user passwords are not synched.

2 Configure your corporate identity provider instance using the VMware Identity Manager service.

3 Register your corporate domain.

4 Onboard the tenant users to their federated Cloud Provider Hub domain.

To ensure the smooth onboarding of all tenant users, you and the tenant administrators must carry out certain tasks. As a service provider, you must either create a new tenant organization and add at least one tenant administrator to it, or you must add at least one newly federated tenant administrator to their existing tenant organization. As a tenant administrator, you must then add all newly federated tenant users, individually or through enterprise groups. After that, all tenant users use their corporate credentials and single sign-on service to log in and authenticate to Cloud Provider Hub and its services.

VMware, Inc. 31

Why do my existing tenant users appear grayed out after federation?All existing tenant users appear grayed out because they can no longer authenticate to VMware Cloud Provider Hub with their VMware ID credentials. After federation, their emails are now associated with the newly federated corporate domain and not with their old VMware ID. To access VMware Cloud Provider Hub directly with their corporate credentials, all federated users must first be added anew, individually or through enterprise groups, even if their emails match those of their previously used VMware ID. Then, users can link their VMware IDs to restore all previously held service and organizational roles in VMware Cloud Provider Hub.

Can I set up a federated identity for my master organization?No. As of now you can only federate the corporate domains of tenant organizations.


n How do I manage enterprise groups

n How do I onboard new tenants to their federated organization as a Service Provider

n How do I onboard existing tenants to their newly federated organization as a Service Provider

n How do I onboard tenant users to a newly federated tenant organization as a Tenant Administrator

n How do I link my VMware ID

How do I manage enterprise groupsYou assign roles to enterprise groups and give them access to your organization's services. You can assign roles to more than one enterprise group at a time, as well as edit or remove group roles.

You assign two kinds of roles to enterprise groups:

n A role within the organization. To see the privileges assigned to every role, see Roles and permissions.

n A role within the cloud services provisioned to you. Each cloud service has its own specific roles. For more information, refer to the documentation of the relevant VMware Cloud service.

Prerequisites

n Your organization is set up with federated identity management.

n You have the Tenant Administrator, Provider Administrator, or Provider Operations Administrator role within the organization.


VMware, Inc. 32

Procedure

1 Navigate to the tenant portal of the tenant you want to manage, and select Identity & Access Management.

2 Select Enterprise groups and click Assign Roles To Enterprise Groups or Assign Roles.

You are redirected to the Enterprise Group Role Assignment page.

3 In the search text box, enter the name of the enterprise groups you want to add, select the Role in organization and Roles in service you want to assign to them, and click Assign.

Results

You see all added enterprise groups in the Enterprise groups tab, and all users part of groups in the User Management tab, marked with a group icon next to their organization roles.

What to do next

To... Do this...

View the list of members in a group As a Tenant Administrator, click on the Member Count of a group.

Remove all roles assigned to a group Select the group, and click Remove Access.

Edit the roles assigned to a group Select the group, and click Edit Roles. You can edit the roles of one group at a time.

How do I onboard new tenants to their federated organization as a Service ProviderTo onboard new tenants with federated identity management set up, you must create a new tenant organization for them with at least one Tenant Administrator user in it. You can also add an enterprise group and assign the Tenant Administrator role to the group.

The onboarding of tenant users and enterprise groups is then done by the Tenant Administrator users, after you onboard them to the newly created organization.

Prerequisites

n You have the Provider Administrator or Provider Operations Administrator role.

n The to-be-created tenant organization has federated identity management set up.

Procedure


2 Click Add Tenant.


VMware, Inc. 33

3 Enter the details for the new tenant organization, and click Add.

Important You must enter the Domain Name the tenant federated with so that VMware Cloud Provider Hub discovers the federation.

The new tenant organization appears in the Tenant Management tab with an icon signifying its domain is federated.

4 From the tenant portal, add Tenant Administrator users individually or through enterprise groups. See How do I manage user roles in tenant organizations and How do I manage enterprise groups.

Results

The federated Tenant Administrator users are successfully onboarded to Cloud Provider Hub, and can now log in with their corporate credentials.

What to do next

As a Tenant Administrator user, proceed with adding users and assigning roles to enterprise groups. To access Cloud Provider Hub directly with their corporate credentials, all newly federated users must first be added manually to the organization by the tenant administrators.

How do I onboard existing tenants to their newly federated organization as a Service ProviderWhen an existing tenant that you manage is set up with federated identity management, you must first add at least one newly federated Tenant Administrator user to it. You can also add an enterprise group and assign the Tenant Administrator role to it.

The onboarding of tenant users is done by the tenant administrators, after you assign the Tenant Administrator role to their now-federated accounts.

Prerequisites

n You have the Provider Administrator or Provider Operations Administrator role.

n An existing tenant organization that you manage is set up with federated identity management.

Procedure

1 Navigate to Tenant Management.

2 To verify that an organization is successfully federated, select the tenant and click Discover Federation.

If the tenant's domain is federated, a federation icon appears next to the domain name.

3 Select the tenant organization and click Manage Services.

You are redirected to the tenant portal of the organization.


VMware, Inc. 34

4 Navigate to Identity & Access Management.

Important All existing tenant users appear grayed out because they can no longer authenticate to Cloud Provider Hub with their old VMware ID credentials. You and the tenant administrators must add all newly federated users anew, even if their emails match those of their VMware IDs.

5 Add Tenant Administrator users individually or through enterprise groups. See How do I manage user roles in tenant organizations and How do I manage enterprise groups.

Results

All added tenant administrators with the Tenant Administrator role can now log in to Cloud Provider Hub directly with their corporate credentials.

What to do next

As a tenant administrator, proceed with adding users and enterprise groups to your organization.

How do I onboard tenant users to a newly federated tenant organization as a Tenant AdministratorYou must add all federated users to your newly federated tenant organization in order for them to access Cloud Provider Hub directly with their corporate credentials. You can either add them as enterprise groups, or you can add individual users, and assign roles to them.

Prerequisites

n Your organization is set up with federated identity management.

n You have the Tenant Administrator role within the organization.

Procedure

1 Navigate to Identity & Access Management.

All existing tenant users appear grayed out because they can no longer authenticate to Cloud Provider Hub with their old VMware ID credentials. You must add all newly federated users manually, even if their emails match those of their VMware IDs.

2 Add tenant users individually or through enterprise groups. See How do I manage user roles in tenant organizations and How do I manage enterprise groups.

Results

All users that you add individually or through enterprise groups are now able to access Cloud Provider Hub directly with their corporate credentials.


VMware, Inc. 35

What to do next

n If you or a tenant user are missing any of your previous service or organizational roles, you can link your VMware ID to restore them.

n You can remove old VMware ID users from the User Management tab by selecting them and clicking Remove Users.

How do I link my VMware IDIf you want to restore all organizational and service roles you held before federated identity management was set up for your organization, you can link your old VMware ID to your federated account.

Prerequisites

n Your corporate domain is federated and you access Cloud Provider Hub with your corporate credentials.

Procedure

1 In the Cloud Provider Hub portal, click your user name and select My Account.

2 In the Profile tab, click Link VMware ID.

You are prompted to confirm the link by logging with your VMware ID.

Results

Your VMware ID is linked and all former service and organizational roles are transferred to your federated account.


VMware, Inc. 36

How do I secure my account using multi-factor authentication 12Multi-factor authentication (MFA) is a security enhancement that requires you to present two pieces of evidence - your credentials - upon signing in. These credentials can be something you know such as your password, and something you have such as an application that generates a one-time passcode. MFA helps protect access to data and applications by adding an extra layer of security.

You have probably already used MFA in some form or another. For example, if you logged into a website that sent a code to your mobile device which you used to gain access to your account.

To secure your cloud account with MFA, you download an authentication application to your mobile device. This creates a virtual MFA device. The application generates a six-digit authentication code that is compatible with the time-based, one-time password standard. You use this code together with your VMware ID and password to log in to cloud services.

How do I?

Activate my MFA device. 1 Click your user name on the menu, and select My Account > Security.

2 Click Activate MFA Device, and follow the instructions to set up your device.

3 MFA is turned on automatically. The next time you sign in, use your VMware ID and password, and an authentication code generated by the app.

Turn off MFA so I sign in with my VMware ID and password only. 1 Click your user name on the menu, and select My Account > Security.

2 Click the MFA is turned on toggle key.

Turn off MFA when I can't sign in with my MFA passcode. 1 On the sign in page, click Troubleshoot MFA.

2 Click Contact Support, and request help in turning off MFA.

Deactivate my MFA device. 1 Click your user name on the menu, and select My Account > Security.

2 Click Deactivate MFA Device.

Note You are provided with a list of one-time recovery codes upon registering a virtual MFA device. Keep these recovery codes somewhere safe and use them to sign in if you cannot access your MFA device.


n What two-factor authentication application can I use

VMware, Inc. 37

What two-factor authentication application can I useVMware Cloud Provider Hub supports the following two-factor authentication applications.

You can download the authenticator for your device by clicking the appropriate link below.

Device Authentication application

iOS n Google Authenticator. See, https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8.

n Duo Mobile. See, https://duo.com/product/trusted-users/two-factor-authentication/duo-mobile.

Android n Google Authenticator. See, https://support.google.com/accounts/answer/1066447?hl=en.


Windows phone n Authenticator. See, https://www.microsoft.com/en-us/store/p/authenticator/9wzdncrfj3rj?rtc=1.


Blackberry Google Authenticator

See, https://support.google.com/accounts/answer/1066447.

For more information about virtual MFA applications, see https://tools.ietf.org/html/rfc6238.


VMware, Inc. 38

https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8

https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8

https://duo.com/product/trusted-users/two-factor-authentication/duo-mobile


https://support.google.com/accounts/answer/1066447?hl=en

https://support.google.com/accounts/answer/1066447?hl=en



https://www.microsoft.com/en-us/store/p/authenticator/9wzdncrfj3rj?rtc=1

https://www.microsoft.com/en-us/store/p/authenticator/9wzdncrfj3rj?rtc=1



https://support.google.com/accounts/answer/1066447

https://tools.ietf.org/html/rfc6238

How do I manage additional master organizations as a Service Provider 13As a Service Provider with the Provider Administrator role, you can create additional master organizations alongside your master organization. Additional master organizations share the commit contracts of your master organization but operate as separate entities, managing their own user access, tenants, and service usage.

Additional master organizations have access to all VMware Cloud Provider Hub functionalities, except for creating their own additional master organizations.

Only the usage of additional master organizations and their tenants is displayed in additional master organizations. Similarly, your master organization displays only your usage and the usage of your tenants, excluding the usage of any additional master organizations alongside your master organization.

How can additional master organizations help my business modelCreating additional master organizations alongside your master organization can be helpful if you have entered a partnership with another organization. You might want to separate your tenants from the tenants of the partner organization without changing your current commit contract consumption model.

Another possible scenario is to use additional master organizations for testing purposes. You can have a safe environment to iterate and develop changes, without impacting your live customer environment.

Onboarding users to additional master organizationsAs the creator of a new additional master organization, you are the only user in it initially. Only you can access the organization and manage its users, tenants, and services. To grant management rights to other users, you add new users with the Provider Administrator role to the additional master organization. You can add Provider Administrator users from your own master organization or add new users external to your master organization.

After you add more Provider Administrator users to the additional master organization, they can access it and manage it as you manage a regular master organization.


n How do I add additional master organizations to my master organization

n How do I onboard Provider Administrator users to an additional master organization

VMware, Inc. 39

n How do I edit the details of additional master organizations

How do I add additional master organizations to my master organizationYou can add additional master organizations to your master organization.

Prerequisites

You have the Provider Administrator role.

Procedure

1 In the VMware Cloud Provider Hub portal, click Administration.

2 Click Add Organization.

3 Enter the name of the organization, select the country, and enter the Zip Code.

4 (Optional) Enter a tag for the organization.

5 To create the additional master organization, click Add Organization.

Results

The new master organization appears in the list of additional master organizations in the Administration tab. As the creator of the additional master organization, you are the only user in it at first. Only you can access the organization and manage its users and services, before adding more users with the Provider Administrator to it.

How do I onboard Provider Administrator users to an additional master organizationTo grant management rights to other users in an additional master organization that you created, you add new users to the organization and assign the Provider Administrator role to them. The users that you add can be part of your master organization or can be external to it.

Prerequisites

You are the Provider Administrator user that created the additional master organization.

Procedure


2 From the list of additional master organizations, select the additional master organization that you created, and click Manage Services.

3 To navigate to the portal of the additional master organization, click Continue.

4 Click Identity & Access Management.

5 Click Add Users.


VMware, Inc. 40

6 Enter the email addresses of the users you want to grant management rights, select the Provider Administrator role, and click Add.

Results

If a user has VMware ID set up with their email, they are immediately added to your organization and appear in the Active Users tab.

If a user does not have VMware ID set up with their email, they receive an invitation to create a VMware ID and join the organization.

After the Provider Administrator users join the additional master organization, they can manage it as you manage a regular master organization.

What to do next

You can view the status of current invitations in the Pending Invitations tab. You can also revoke invitations sent by mistake, or resend expired invitations. Invitations expire after seven days.

How do I edit the details of additional master organizationsYou can edit the details of additional master organizations in which you have administrator rights. You can edit the name, country, Zip Code, and tags of additional master organizations.

Prerequisites

You are a Provider Administrator user in the additional master organization which you want to edit. You can see the email addresses of Provider Administrator users in the organization from the Administration tab.

Procedure


2 Select the additional master organization which you want to edit and click Edit Organization.

3 Make your changes and click Edit Organization.

Results

The details of the additional master organization are updated.


VMware, Inc. 41

using vmware cloud provider hub as a service provider ......vmware saas production support is...

Documents