How-to: Configuring and Using Prism Self Service in Prism Central on Nutanix AOS 5.5

The Prism Self Service (PSS) feature represents a special view within Prism Central. While Prism Central enables infrastructure management across clusters, PSS allows end-users to consume that infrastructure in a self-service manner. PSS is only supported on AHV clusters at this time.

This lesson will show you how to configure PSS, which will include performing the following tasks:

  • [Prism Central Administrator] Configure Prism Self Service by importing users and groups from an Active Directory and adding a self-service administrator account.
  • [PSS administrator] Create a project for each team that needs self-service and add Active Directory users and groups to the projects.
  • [PSS administrator] Configure roles for project members.
  • [PSS administrator] Publish VM templates and images to the catalog.
  • [PSS administrator] Create VMs as needed and assign them to project members as appropriate. You can also allow project members to create their own VMs.

Additional information is also covered in the Prism Self Service Administration Guide, located on the Nutanix portal here: https://portal.nutanix.com/#/page/docs/details?targetId=SSP-Admin-Guide-v55:ssp-ssp-overview-for-ssp-admin-c.html

Requirement: Setup Prism Central Authentication

Before proceeding with this guide, please make sure you have Active Directory authentication setup for your Prism Central instance.

If you do not have authentication setup, please follow the How-To located at the following link before proceeding:
https://www.virtualdennis.com/how-to-configure-prism-central-authentication-with-active-directory-on-nutanix-aos-5-5/

Configure Prism Self Service Admins

In order to use Prism Self Service, we will need to configure Prism Self Service Admins. These may or may not be the same as Prism Central administrators, depending on your environment. In my examples for this article, I am making those match, meaning the Prism Central Admin(s) are also the Self Service Admin(s).

To start the configuration, click on the "Gear icon" (1) in Prism Central, then click on the "Self-Service Admin Management" option (2).

To begin the Self-Service Admin management wizard, choose the domain name from the dropdown list (1), then enter a domain service account that has domain permissions to query the domain (2). Then click on the "Next" button to continue.

Next, add domain users, groups or OU’s as Self Service Administrators, by clicking on the "+Add Admins" button.

Caution: Self-service administrators have full access to all VMs running on the Nutanix cluster, including infrastructure VMs not tied to a project. Self-service administrators can assign infrastructure VMs to project members, add them to the catalog, and delete them even if they do not have administrative access to Prism Central. Consider these privileges when appointing self-service administrators, and make sure to communicate to self-service administrators the need to exercise caution when working with infrastructure VMs.

When you start typing a user, group or OU (1), they will be auto-completed by querying Active Directory (2), which will make it easier to select what you want.

Enter the users, groups or OU’s that you wish to have as Self Service Administrators, then click on the "Save" option next to the Name field (1). Once you have entered all of them, click on the "Save" button (2).

Sign Out of Prism Central

Let’s sign out of Prism Central so that we can see the latest permissions and Prism changes now that we have enabled Self Service.

To sign out, click on the user icon in Prism Central (1), then click on the "Sign Out" option (2).

Log Into Prism Central with a Self Service Administrator

Next, log back into Prism Central using a user that was included as a Prism Self Service administrator. In my example, I’m using my "dennis" domain account as it is included in the group that I assigned as a Prism Self Service Administrator.

Now that you are logged in as a Self Service Administrator, you will see some additional Administration menu options under the "Explore" (1) menu. This is where you can setup Self Service Projects and corresponding Roles and Users (2).

Creating and Reviewing Roles

A role is a set of permissions assigned to a Self Service user which will dictate what they can and cannot see within Prism Central. Several default roles are included, so be sure to review the permissions of these roles to see if they might fit your use case.

To review the roles already set up, click on the "Explore" menu option (1), click on "Roles" (2), then you can click on any of the default roles to review their permissions (3).

You can also create your own role by clicking on the "Create Role" button (4).

Available Permissions When Creating a Role

To give you an idea of what permissions are available when creating your own role, please review the below screenshot which outlines what type of permissions can be assigned to a Self Service user.

Creating a Project

A project defines a set of users with a common set of requirements or a common function, such as a team of engineers collaborating on an engineering project. The project also specifies the roles to associate with its members, which networks that they can use, and optionally, usage limits on infrastructure resources.

To create a Project, click on the "Explore" menu option (1), then click on "Projects" under the Administration entity (2), then click on the "Create Project" button (3).

Type in a name for the Project (1). Choose which AHV cluster this project is assigned to (2). Click on the "+User" button to add Active Directory users or groups to the project (3). If you would like each user to be able to see and interact all of the other VM’s and Apps within the project, check the box labeled "Allow Collaboration" (4). Next, choose any networks that this project can use (5).

When adding active directory users or groups to the project in the previous step (labeled #3), you can add multiple users or groups by typing in the first few letters of the name, which will then show an autocomplete list which you can select from (1). Then choose the role for the user/group you are adding (2) and click on the "Save" option (3). You can add multiple users/groups as needed.

The final area within creating a project is quotas. This is an optional setting which allows you to place limits on resources available to the users on this project. To enable quotas, check the box next to "Quotas" and enter the limits that you would like enforced. Projects will not be allowed to consume more resources than what is entered here.

Click on the "Save" button to save the project.

The project you just created will be shown in the Project list. Mine took 10-15 seconds to refresh and show the project, so don’t be alarmed if it takes Prism a little bit to show you the new project.

Assigning an Existing Virtual Machine to a Project

Now that we have a Project created, you can optionally assign existing virtual machines to a project. To do this, under the "Explore" menu option, click on the "VMs" entity (1). Find the VM that you want to add to a project and select the check-mark box next to it (2). Click on the "Actions" menu (3) and choose "Manage Ownership" (4) from the dropdown.

Choose the project you want to assign the VM to from the dropdown (1), then choose the user owner of the VM which will also be shown as a dropdown (2). Click on the "Save" button (3) to continue.

Adding Virtual Machines to the Catalog

The catalog is an area for storing VM snapshots and disk images. You add snapshots and images to the catalog so that project users who have permissions to create a VM can use them. Only self-service (and Prism Central) administrators can create and manage catalog items.

To add a virtual machine to the catalog, click on the "VMs" entity (1), then select the checkmark next to the VM you want to add to the catalog (2), choose the "Actions" menu (3), then select "Add to Catalog" (4).

Enter the name of the Catalog entity into the "Name" field (1). I’d suggest making this somewhat descriptive, as this name is what your Self Service users will see. You can also enter a description into the description field.

Under the Guest Customization area, you can choose to use SysPrep (for Windows) or CloudInit (for Linux) (2). If choosing SysPrep (for Windows), you can also choose to use a "Guided Setup" option (3) which will allow the user to specify certain configuration settings for the VM when they deploy the VM from the catalog.

Other various settings can be allowed under the "Authentication", "Locale" and "Hostname" options (4).

Under the "License Key" area, you can enter a license key that will be applied during the sysprep process, you can have the system prompt for a license key to be entered manually, or you can choose "No License Key".

Press the "Save" button to complete the wizard.

To view the catalog item that we just added, click on the "Explore" (1) menu, then click on "Catalog Items" entity (2). Here you will see listed the new catalog item that we added above (3).

Adding Disk Images

To add ISO’s or other disk images to Prism Central, click on the "Explore" menu (1), then choose the "Images" entity (2). Click on the "Add Image" button (3).

You can add an image from your local computer by selecting "Image File" (1), or you can use the "URL" option to specify a CIFS/NFS full path to an image.

If using the "Image File" option, click on the "+Add File" link (2) to open a browse window.

Select the ISO or other disk image from your computer. In my example here, I’ve selected the Nutanix VirtIO driver ISO, since that is useful to have available.

Specify the Image Name and Image type for this image. You can also enter a description if you would like. Next, click on the "Save" button to begin the upload.

A status message will be shown at the top of the screen warning you to not refresh the screen during the upload.

A status icon at the top will turn blue, showing you an active task for the image upload. Once this task is completed, the image will be shown in the list and it will be available for use.

Adding Disk Images to the Catalog

Once the disk image is shown under the "Images" section, it is available to be used by Cluster Administrators. It will not however be available to Project users until you add the image to the catalog.

To add the image to the catalog, click on the "Images" entity (1), then click on the check-mark box next to the Image (2), select the "Actions" menu (3), then choose "Add Image to Catalog" (4).

Enter a name and description for the image and click on the "Save" button.

Once completed, now you should see the image listed under the "Catalog Items" entity (1). Once it is listed here (2), it is now available for project users through the "Create VM" workflow.

Logging In as a Project User

To show what a Project user will see, I’ll log into Prism Central as a standard domain user (called "tenant1"). In the above step, I assigned this user an existing Virtual Machine, so that should be shown when we login.

Once logged in as a standard domain user, Prism Central will only show options that have been granted to the user via the "Roles" area of the Project. In the example below, you will see the standard user named "Tenant One" is logged in, and can only see basic virtual infrastructure options (VM’s, Catalog items and Images). This user can also see the existing VM (1) that we added to this project user in the above step.

Creating a VM from the Catalog

To create a VM from the catalog (which has to be done as a project user) click on the "Explore" menu (1), then choose "VMs" under the Virtual Infrastructure entity. Click on the "Create VM" button (3) to begin the VM creation wizard.

In the wizard that is started, choose to deploy a VM from a "VM Template" or a "Disk Image". A "VM Template" is a VM that will be deployed from the catalog, including any SysPrep options applied depending on the settings you chose when you added the VM to the catalog. A "Disk Image" is an ISO or other disk format that is generally used for a new installation of a VM. Click on the "Next" button to continue the wizard.

If you chose "VM Template" in the previous screen, you will be shown any VM’s in the catalog that are available to you. Click on the catalog VM you wish to use (1) and click on the "Next" button (2).

Several options are now shown under the Deploy VM step in the wizard.

Type in a Name of the VM you would like to use, and select which project the VM will be assigned to (1).

Depending on the options selected when adding the VM to the catalog, the user might be able to specify the Hostname, set the username and password (2), select the networks the VM will be assigned to (3), and choose to overwrite the CPU and Memory allocation for the VM (4).

Once completed, click on the "Save" button to deploy the VM (5).

The list of VM’s should now show your newly deployed VM from the catalog. Note, the VM will reboot after the first boot to apply any sysprep options you selected.