Contents
SUSE Manager supports the creation and management of multiple organizations within one SUSE Manager installation, allowing for the division of systems, content, and subscriptions across different organizations or specific groups. This chapter guides the user through basic setup tasks and explains the concepts of multiple organization creation and management within SUSE Manager.
The following examples detail two possible scenarios using the multiple organizations (or multi-org) feature. You may create additional organizations on your SUSE Manager and start using those organizations at whatever pace makes the most sense for you. It is a good idea to create an additional organization and use it on a trial basis for a limited set of systems/users to fully understand the impact of a multi-org SUSE Manager on your organization's processes and policies.
In this first scenario, the SUSE Manager is maintained by a central group within a business or other organization (refer to Figure 5.1, “Centralized SUSE Manager Management for Multi-Department Organization”). The SUSE Manager administrator of organization 1 (the administrative organization created during SUSE Manager configuration) treats organization 1 (the “administrative organization”) as a staging area for software and system subscriptions and entitlements.
The SUSE Manager administrator's responsibilities include the configuration of SUSE Manager (any tasks available under the Admin area of the web interface), the creation and deletion of additional SUSE Manager organizations, and the allocation and removal of software and system subscriptions and entitlements.
Additional organizations in this example are mapped to departments within a company. One way to decide what level to divide the various departments in an organization is to think about the lines along which departments purchase subscriptions and entitlements for use with SUSE Manager. To maintain centralized control over organizations in the SUSE Manager, create an organization administrator account in each subsequently created organization so that you may access that organization for any reason.
In this example, SUSE Manager is maintained by a central group, but each organization is treated separately without relations or ties to the other organizations on SUSE Manager. Each organization may be a customer of the group that manages the SUSE Manager application itself.
While a SUSE Manager consisting of sub-organizations that are all part of the same company may be an environment more tolerant of sharing systems and content between organizations, in this decentralized example sharing is less tolerable. Administrators can allocate entitlements in specific amounts to each organization. Each organization will have access to all Novell content synced to SUSE Manager if the organization has software channel entitlements for the content.
However, if one organization pushes custom content to their organization, it will not be available to other organizations. You cannot provide custom content that is available to all or select organizations without re-pushing that content into each organization.
In this scenario, SUSE Manager administrators may want to reserve an account in each organization to have login access. For example, if you are using SUSE Manager to provide managed hosting services to external parties, you could reserve an account for yourself so to access systems in that organization and push content.
Regardless of the specific model above you choose in the management of your multi-org SUSE Manager, the following best practices tips can help.
It is not recommended to use the administrative organization (organization #1) for registering systems and creating users in any situation unless you intend to the use SUSE Manager as a single organization SUSE Manager or are in the process of migrating from a single organization SUSE Manager to a multiple organization SUSE Manager. This is due to the following reasons:
The administrative organization is treated as a special case with respect to entitlements. You can only add or remove entitlements to this organization implicitly by removing them or adding them from the other organizations on SUSE Manager.
The administrative organization is intended to be a staging area for subscriptions and entitlements. When you associate SUSE Manager with a new certificate, any new entitlements will by granted to this organization by default. In order to make those new entitlements available to other organizations on SUSE Manager, you will need to explicitly allocate those entitlements to the other organizations from the administrative organization.
If you have issued a new SUSE Manager certificate and it contains less entitlements than the systems in the organizations your SUSE Manager are consuming, you will be unable to activate this new certificate when uploading it through the SUSE Manager's web interface under Admin+SUSE Manager Configuration+Certificate, or by running the rhn-satellite-activate command. You will get an error stating that there are insufficient entitlements in the certificate.
There are a few ways you can reduce SUSE Manager entitlement usage in order to activate your new certificate. It is recommended evaluating each organization's entitlement usage on and decide which organizations should relinquish some entitlements and still function properly. You can then contact each organization administrator directly and request that they unentitle or delete the system profiles of any extraneous systems in their organizations. If you have login access to these organizations, you can do this yourself. Logged in under a SUSE Manager administrator, you cannot decrement the allocated entitlements to an organization below the number of entitlements that organization has actively associated with system profiles.
There are some situations in which you need to free entitlements and do not have a lot of time to do so, and may not have access to each organization in order to do this yourself. There is an option in multi-org SUSE Manager that allows the SUSE Manager administrator to decrement an organization's entitlement count below their usage. This method must be done logged into the administrative organization.
For example, logged into the administrative organization, if your certificate is five system management entitlements shy of being able to cover all registered systems on your SUSE Manager, the five systems that were most recently registered with that organization will be unentitled. This process is described below:
Open the /etc/rhn/rhn.conf
file, set
web.force_unentitlement=1
Restart SUSE Manager
Reduce the allocated entitlements to the desired organizations either via each organization's Subscriptions tab or via individual entitlement's Organizations tabs.
A number of systems in the organization should now be in an unentitled state. The number of systems unentitled in the organization will be equal to the difference between the total number of entitlements you removed from the organization and the number of entitlements the organization did not have applied to the systems.
For example, if you removed 10 entitlements from the organization in Step 3, and the organization has four entitlements that were not in use by systems, then six systems in the organization will be unentitled.
After you have the sufficient number of entitlements required, you
should then be able to activate your new SUSE Manager certificate. Note
that modifying the web.force_unentitlement
variable is only necessary to decrement an organization's allocated
entitlements below what they are using. If an organization has more
entitlements than are being actively used, you do not need to set this
variable to remove them.
If you are issued a new SUSE Manager certificate and it has more entitlements than are being consumed on your SUSE Manager, any extra entitlements will be assigned to the administrative organization. If you log into the web interface as the SUSE Manager administrator, you will then be able to allocate these entitlements to other organizations. The previously-allocated entitlements to other organizations will be unaffected.
The Organizations Web interface allows administrators to view, create, and manage multiple organizations across SUSE Manager. Administrators can allocate software and system entitlements across various organizations, as well as control an organization's access to systems management tasks.
The Organizations page contains a listing of organizations across the SUSE Manager, with both user and system counts assigned to each organization. The Organizations page also features a Trusts page for any organizational trusts established. Refer to Section 5.6, “Organizational Trusts” for more information about establishing organizational trusts.
Clicking on an organization displays the Details page, where administrators are provided a summary of various aspects of the organization.
Active Users — The number of users in the organization
Systems — The number of systems subscribed to the organization.
System Groups — The number of groups subscribed to the organization.
Activation Keys — The number of activation keys available to the organization.
Autoinstallation Profiles — The number of autoinstallation profiles available to the organization.
Configuration Channels — The number of Configuration Channels available to the organization.
From this page, you can delete the organization by clicking the Delete Organization link.
The Details page also contains three subtabs: Users, Subscriptions, and Trusts.
The Create New Organization page in the SUSE Manager web interface can be accessed by proceeding to Admin+Organizations+Create New Organization.
Administrators can create new organizations and assign entitlements, groups, systems, and users to the group so that organizations can perform administrative tasks on their own without affecting other organizations.
Input the Organization Name in the provided text box. The name should be between 3 and 128 characters.
Create an administrator for the organization:
Enter a Desired Login for the organization administrator, which should be between 3 and 128 characters long.
Create a Desired Password and Confirm the password.
Type in the Email for the organization administrator.
Enter the First Name and Last Name of the organization administrator.
Click the
button to complete the process.Once the new organization is created, the Organizations page will display with the new organization listed.
![]() | |
SUSE Manager administrators should consider reserving the administrative organization administrator account for themselves to have the option of logging into this organization for various reasons. If your SUSE Manager is configured for PAM authentication, avoid using PAM accounts for the administrative organization administrator account in new organizations. Instead, create a SUSE Manager-local account for organization administrators and reserve PAM-authenticated accounts for SUSE Manager logins with less elevated privileges in order to discourage users to frequently log into SUSE Manager with elevated privileges, as the potential for making mistakes is higher using these accounts.
Additionally, consider creating a login name for the administrative
Organization Administrator account that describes (for example,
|
One important task after creating a new organization is to assign management entitlements to the new organization. Management system entitlements are a base requirement for an organization to function on SUSE Manager. The number of management entitlements allocated to an organization is equivalent to the maximum number of systems that may register with that organization on SUSE Manager, regardless of the number of software entitlements available. For example, if there are 100 SUSE Linux Enterprise client entitlements but only 50 management system entitlements to an organization, only 50 systems are able to register with that organization.
You must also grant SUSE Manager tools software channel entitlements to each
organization. The SUSE Manager client tools
channel contains various client
software required for extended SUSE Manager's functionality, such as clients
necessary for configuration management and automated installation support
as well as the rhn-virtualization
package, which is
necessary for the entitlements of Xen or KVM virtual guests to be counted
correctly corresponding to the number of SUSE Linux Enterprise subscriptions to which
they are associated.
Access the Subscriptions tab by clicking Admin+Organizations+Details+Subscriptions.
The Subscriptions tab has two subtabs for managing the software channel and system entitlements for the organization.
The Software Channel Entitlements Across SUSE Manager page lists of all entitlements on SUSE Manager, throughout all organizations, as well their usage. Click on a Entitlement Name for a more detailed view.
The Details subtab for the software channel entitlement contains information about the software channel access granted when subscribed to the entitlement.
The Organizations subtab allows SUSE Manager administrators to adjust the number of software channels available to each organization. Type in the number (within the range listed in Possible Values) and click the button for that organization.
![]() | |
Organization administrators that create a custom channel can only use that channel within their organization unless an organizational trust is established between the organizations that want to share the channel. For more information about organizational trusts, refer to Section 5.6, “Organizational Trusts”. |
The Organizations subtab also contains broad usage information in the System-Wide Entitlement Usage section, including:
Total — The total number of channel entitlements for SUSE Manager.
Available — The number of entitlements currently available for allocation.
Usage — The number of entitlements currently in use by all organizations (aside from the base organization), compared to the total number of entitlements allocated.
For example, if the Total column is 100 and the
Available column is 70, that means 30 entitlements
are allocated for organizations. The Usage column
shows how many of those 30 allocated entitlements are in use by
organizations besides the base organization. So if the
Usage column reads 24 of 30
(80%)
, that means 24 channel entitlements are distributed
to SUSE Manager organizations (other than the base organization) out of 30
total allocated.
The System Entitlements Across SUSE Manager page lists all system entitlements on this SUSE Manager, across all organizations, as well as their usage. Click on the entitlement's name for more details about it.
System entitlements include Management, Provisioning, Monitoring, and Virtualization. Enter the number of allocations of each system entitlement in the text box, not to exceed the limit indicated in the Possible Values.
The Details subtab for the system entitlement contains information about the entitlement and what access it grants.
The Organizations subtab allows SUSE Manager administrators to adjust the number of system entitlement allocations available to each organization. Type in the number (within the range listed in Possible Values) and click the button for that organization.
The Organizations subtab for the system entitlement also contains broad usage information in the SUSE Manager-wide entitlement usage section, including:
Total Allocated — The number of total entitlements available for the entire SUSE Manager.
Entitlement Usage — The number of entitlements currently being used.
Organization Usage shows the number of organizations that have access to the entitlement.
Now that an organization has been created and requisite entitlements assigned to it, you can then assign systems to each organization.
There are two basic ways to register a system with a particular organization:
Registering Using Login and Password — If you provide a login and
password created for a specified organization, the system will be
registered with that organization. For example, if
user-123
is a member of the Central
IT organization on SUSE Manager, the following command on any
system would register that system with the Central
IT organization on your SUSE Manager:
mgrreg_ks --username=user-123 --password=foobaz
![]() | |
The |
Registering Using An Activation Key — You can also register a system with an organization using an activation key from the organization. Activation keys will register systems with the organization in which the activation key was created. Activation keys are a good registration method to use if you want to allow users to register systems with an organization without providing them login access to that organization. If you want to move systems between organizations, you may also automate the move with scripts using the activation keys.
Organizations can share their resources with each other by establishing an organizational trust in SUSE Manager. An organizational trust is bi-directional, meaning that once a SUSE Manager administrator establishes a trust between two or more organizations, the organization administrator from each organization is free to share as much or as little of their resources as they need to. It is up to each organization administrator to determine what resources to share, and what shared resources from other organizations in the trust to use.
![]() | |
Only organization administrators are able to share their custom content; SUSE Manager administrators only allocate system and software entitlements to each organization. |
A SUSE Manager administrator can create a trust between two or more organizations. To do this, click the Organizations link on the side menu on the Admin main page.
Click the name of one of the organizations and within the Details page, click the Trusts subtab.
On the Trusts subtab, there is a listing of all the other trusts on SUSE Manager. Here you may use the Filter by Organization text box to narrow down a long list of organizations to a specific subset.
Click the checkbox next to the names of the organizations you want to be in the organizational trust with the current organization and click the
button.Once an organizational trust has been established, organizations can now share content such as custom software channels with the other organizations in the trust. There are also three levels of channel sharing that can be applied to each channel for finer-grained channel access control.
![]() | |
Organizations cannot share Novell channels because they are available to all organizations that have entitlements to those channels. |
To share a custom channel with another organization, perform the following steps:
Login to SUSE Manager with the username of the organization administrator.
Click on the Channels tab.
On the side menu, click Manage Software Channels.
Click the custom channel that you want to share with the other organizations.
From the Channel Access Control section of the Details page, there are three choices for sharing in Organizational Sharing.
Private — Make the channel private so that it cannot be accessed by any organizations except the channel's owner.
Protected — Allow the channel to be accessed by specific trusted organizations of your choice.
![]() | |
Choosing Protected sharing displays a separate page that prompts you to confirm that you are granting channel access to the organizations by clicking . |
Public — Allow all organizations within the trust to access the custom channel.
Click the radio button next to your selection and click
.Now, any other organization administrators within the trust for which you have granted access to your custom channel can allow their client systems to install and update packages from the shared channel.
![]() | |
If you have a system subscribed to a shared channel, and the organizational administrator of the shared channel changes access rights to the channel, then the system loses that channel. If he changes a base channel right, then the system will have no base channel on the Systems page and will not receive updates. |
In addition to sharing software channels, organizations in a trust can migrate systems to other trusted organizations by using a utility called migrate-system-profile.
migrate-system-profile usage is based on the command-line, and uses systemIDs and orgIDs as arguments to specify what what is being moved and its destination organization.
To use the migrate-system-profile command, you must
have the spacewalk-utils
package installed. You do
not need to be logged into the SUSE Manager server to use
migrate-system-profile; however, if you do not you
will need specify the hostname or IP address of the server as a
command-line switch.
![]() | |
When an organization migrates a system with the migrate-system-profile command, the system does not carry any of the previous entitlements or channel subscriptions from the source organization. However, the system's history is preserved, and can be accessed by the new Organization Administrator in order to simplify the rest of the migration process, which includes subscribing to a base channels and granting entitlements. |
Using migrate-system-profile is straightforward. You need to ascertain the ID of the system to be migrated, the ID of the organization the system will migrate to, and the hostname or IP address of the SUSE Manager server if you are running the command from another machine.
The usage from the command line is the following:
migrate-system-profile --satellite{SUSE Manager HOSTNAME OR IP}
--systemId={SYSTEM ID}
--to-org-id={DESTINATION ORGANIZATION ID}
For example, if the Finance department (created as an organization in SUSE Manager with OrgID 2) wants to migrate a workstation (with SystemID 10001020) from the Engineering department, but the Finance Organization Administrator does not have shell access to the SUSE Manager server. The SUSE Manager hostname is satserver.example.com.
The finance organization administrator would type the following from a shell prompt:
migrate-system-profile --satellite satserver.example.com --systemId=10001020 --to-org-id=2
The finance organization administrator is then prompted for their
username and password (unless they specified it using
--username=
and --password=
at the
command-line).
The finance organization administrator would then be able to see the system from the Systems page when logged into the SUSE Manager web interface. The finance organization administrator can then finish the migration process by assigning a base channel and granting entitlements to the client as he would any other system registered with his organization, which is avaiable from the system's History page in the Events subtab.
![]() | |
The SUSE Manager administrator can migrate a system from one trusted organization to any other in the trust. However, organization administrators can only migrate a system from their own organization to another in the trust. |
SUSE Manager administrators that need to migrate several systems at once
can use the --csv
option of
migrate-system-profile to automate the process using
a simple comma-separated list of systems to migrate.
A line in the CSV file should contain the ID of the system to be migrated as well as destination organization's ID in the following format:
systemId,to-org-id
the systemId
, for example could be
1000010000
, while the to-org-id
could be 4
. So, a compatible CSV could look like
the following:
1000010000,3 1000010020,1 1000010010,4
For more information about using migrate-system-profile refer to the manual page by typing man migrate-system-profile or for a basic help screen type migrate-system-profile -h.
The Users Across SUSE Manager page contains a list of all users on the SUSE Manager, throughout all organizations.
![]() | |
You are only able to modify the details of organization users if you are logged in as that organization administrator. |
Clicking the Username displays the User Details page. Refer to Section 3.9, “Users — [Mgmt]” for more information on user configuration.
The Users subtab lists the users assigned to the organization, including their real names, email address, and a check mark indicating that the user is an administrator of the organization.
If you are the organization administrator, you can click the username to display the User Details page for the user. For instructions regarding user management, refer to Section 3.9.1.1, “. + + — [Mgmt]”
![]() | |
You must be logged in as the organization administrator to edit the User details for an organization. The SUSE Manager administrator cannot edit user details for organization users. |