Chapter 9. Multiple Organizations
RHN Satellite supports the creation and management of multiple organizations within one Satellite installation, allowing for the division of systems, content, and subscriptions across different organizations or specific groups. This chapter guides the user through basic setup tasks and explains the concepts of multiple organization creation and management within RHN Satellite.
9.1. Recommended Models for Using Multiple Organizations
The following examples detail two possible scenarios using the multiple organizations (or multi-org) feature. Installing or upgrading to RHN Satellite 5.1 or later does not require that you make use of the multi-org feature. You may create additional organizations on your Satellite and start using those organizations at whatever pace makes the most sense for you. It is a good idea to create an additional organization and use it on a trial basis for a limited set of systems/users to fully understand the impact of a multi-org Satellite on your organization's processes and policies.
9.1.1. Centrally-Managed Satellite for A Multi-Department Organization
In this first scenario, the RHN Satellite is maintained by a central group within a business or other organization (refer to Figure 9.1, “Centralized Satellite Management for Multi-Department Organization”). The Satellite administrator of Organization 1 (the administrative organization created during Satellite configuration) treats Organization 1 (the 'Administrative Organization') as a staging area for software and system subscriptions and entitlements.
The Satellite administrator's responsibilities include the configuration of the Satellite (any tasks available under the Admin area of the web interface), the creation and deletion of additional Satellite organizations, and the allocation and removal of software and system subscriptions and entitlements.
Additional organizations in this example are mapped to departments within a company. One way to decide what level to divide the various departments in an organization is to think about the lines along which departments purchase subscriptions and entitlements for use with RHN Satellite. To maintain centralized control over organizations in the Satellite, create an Organization Administrator account in each subsequently created organization so that you may access that organization for any reason.
Figure 9.1. Centralized Satellite Management for Multi-Department Organization
9.1.2. Decentralized Management of Multiple Third Party Organizations
In this example, the Satellite is maintained by a central group, but each organization is treated separately without relations or ties to the other organizations on the Satellite. Each organization may be a customer of the group that manages the Satellite application itself.
While a Satellite consisting of sub-organizations that are all part of the same company may be an environment more tolerant of sharing systems and content between organizations, in this decentralized example sharing is less tolerable. Administrators can allocate entitlements in specific amounts to each organization. Each organization will have access to all Red Hat content synced to the Satellite if the organization has software channel entitlements for the content.
However, if one organization pushes custom content to their organization, it will not be available to other organizations. You cannot provide custom content that is available to all or select organizations without re-pushing that content into each organization.
In this scenario, Satellite Administrators may want to reserve an account in each organization to have login access. For example, if you are using Satellite to provide managed hosting services to external parties, you could reserve an account for yourself so to access systems in that organization and push content.
Figure 9.2. Decentralized Satellite Management for Multi-Department Organization
9.1.3. General Tips for Multi-Org Usage
Regardless of the specific model above you choose in the management of your multi-org Satellite, the following best practices tips can help.
It is not recommended to use the administrative organization (organization #1) for registering systems and creating users in any situation unless you intend to the use Satellite as a single organization Satellite or are in the process of migrating from a single organization Satellite to a multiple organization Satellite. This is due to the following reasons:
- The administrative organization is treated as a special case with respect to entitlements. You can only add or remove entitlements to this organization implicitly by removing them or adding them from the other organizations on the Satellite.
- The administrative organization is intended to be a staging area for subscriptions and entitlements. When you associate the Satellite with a new certificate, any new entitlements will by granted to this organization by default. In order to make those new entitlements available to other organizations on the Satellite, you will need to explicitly allocate those entitlements to the other organizations from the administrative organization.
9.1.3.1. Certificate Has Less Entitlements Than I Am Using
If you are issued a new Satellite certificate and it contains less entitlements than the systems in the organizations on your Satellite are consuming, you will be unable to activate this new certificate when uploading it through the Satellite's web interface under Admin ⇒ Satellite Configuration ⇒ Certificate, uploading it through the http://rhn.redhat.com profile of the Satellite system under the Satellite tab, or by running the
rhn-satellite-activate
command. You will get an error stating that there are insufficient entitlements in the certificate.
There are a few ways you can reduce Satellite entitlement usage in order to activate your new certificate. Red Hat recommends evaluating each organization's entitlement usage on the Satellite and decide which organizations should relinquish some entitlements and still function properly. You can then contact each organization administrator directly and request that they unentitle or delete the system profiles of any extraneous systems in their organizations. If you have login access to these organizations, you can do this yourself. Logged in under a Satellite administrator, you cannot decrement the allocated entitlements to an organization below the number of entitlements that organization has actively associated with system profiles.
There are some situations in which you need to free entitlements and do not have a lot of time to do so, and may not have access to each organization in order to do this yourself. There is an option in Multi-Org Satellites that allows the Satellite administrator to decrement an organization's entitlement count below their usage. This method must be done logged into the administrative organization.
For example, logged into the administrative organization, if your certificate is 5 system management entitlements shy of being able to cover all registered systems on your Satellite, the 5 systems that were most recently registered to that organization will be unentitled. This process is described below:
- In the
/etc/rhn/rhn.conf
file, set web.force_unentitlement=1 - Restart the Satellite
- Reduce the allocated entitlements to the desired organizations either via each organization's Subscriptions tab or via individual entitlement's Organizations tabs.
- A number of systems in the organization should now be in an unentitled state. The number of systems unentitled in the organization will be equal to the difference between the total number of entitlements you removed from the organization and the number of entitlements the organization did not have applied to the systems.For example, if you removed 10 entitlements from the organization in step 3, and the organization has 4 entitlements that were not in use by systems, then 6 systems in the organization will be unentitled.
After you have the sufficient number of entitlements required, you should then be able to activate your new Satellite certificate. Note that modifying the
web.force_unentitlement
variable is only necessary to decrement an organization's allocated entitlements below what they are using. If an organization has more entitlements than are being actively used, you do not need to set this variable to remove them.
9.1.3.2. Certificate Has More Entitlements Than I Am Using
If you are issued a new Satellite certificate and it has more entitlements than are being consumed on your Satellite, any extra entitlements will be assigned to the administrative organization. If you log into the web interface as the Satellite administrator, you will then be able to allocate these entitlements to other organizations. The previously-allocated entitlements to other organizations will be unaffected.