Local Subscription Services, Local Content Providers, and Multi-Tenant Organizations

As outlines, the subscription service, content repository, and client tools and inventory all work together to define the entitlements structure for a customer. The way that these elements are organized depends on a lot of factors, like who is maintaining the individual services, how systems in the inventory are group, and how user access to the different services is controlled.

The most simplistic structure is the hosted structure. The content and subscription services are hosted by CentOS, and all systems within the inventory are contained in one monolithic group. User access is defined only by CentOS Customer Portal account access.

Hosted Structure

Figure 14.8. Hosted Structure


The next step allows a customer to have its own, local subscription service (Subscription Asset Manager), while still using CentOS's hosted content delivery network. At this point, user access can be defined locally, within the Subscription Asset Manager configuration. Subscription Asset Manager can define independent groups, called organizations. Systems belong to those organizations, and users are granted access to those organizations. Systems and users in one organization are essentially invisible to systems and users in other organizations.

Hosted Content/Local Subscriptions Structure

Figure 14.9. Hosted Content/Local Subscriptions Structure


The last style of infrastructure is almost entirely local, with a Subscription Asset Manager that provides locally-hosted content providers and an integrated local subscription service.

Local Subscriptions and Local Content Provider Structure

Figure 14.10. Local Subscriptions and Local Content Provider Structure


This allows the most control over how systems are grouped within the subscriptions/content. A customer's main account can be divided into separate and independent organizations. These organizations can use different content provider, can have different subscriptions allocated to them, and can have different users assigned to them with levels of access set per organization. Access control in this scenario is controlled entirely locally. The local Subscription Asset Manager, not the remote CentOS Customer Portal, processes user authentication requests and applies local access control policies.

A system is assigned to one organization. Within an organization, there can be different environments which define access to product versions and content sets. There can be overlap between environments, with a system belonging to multiple environments.

Multi-Org

Figure 14.11. Multi-Org


When there is only one organization - such as a hosted environment (where the single organization is implicit) - then the systems all default to use that one organization. When there are multiple organizations, then the organization for a system to use must be defined for that system. This affects register operations, where the system is registered to subscription service and then joined to the organization. It also affects other operations tangentially. It may affect subscribe operations because it affects repository availability and subscription allocations, and it affects redeem operations (activation of existing subscriptions) because subscriptions must be redeemed from the organization which issued the subscription.

For more information on configuring and managing organizations, environments, and content repositories, see the Subscription Asset Manager documentation.