For VMware administrators, managing multiple teams, departments, or customers in a private cloud has always required careful planning and extra licensing. The challenge you wanted to solve is finding a balance between isolation and flexibility without adding operational complexity or costs.

VMware environments typically use vCenters for high-level separation, and Virtual Data Centers (vDCs) as a logical way to represent regional distribution. There are a few ways to visually separate your infrastructure with folders, but true multi-tenancy was only available with an upgrade or a 3rd party tool.

Wondering how to streamline your VMware to Private Cloud Migration while managing multi-tenancy and identity? Let’s understand it step by step.

Platform9: Multi-Tenancy by Design

Private Cloud Director (PCD) builds upon these familiar logical constructs while introducing a cloud-native, multi-tenant approach that aligns with more modern infrastructure patterns:

• Domains = vCenters (high-level isolation)
• Regions = Virtual Data Centers (geo-distributed segmentation)
• Tenants = Top-Level Folders (identity & access control boundaries)

PCD brings these capabilities into a unified private cloud platform that delivers the multi-tenancy VMware users have been asking for without requiring third-party extensions or additional licensing costs.

Multi-Tenancy in Private Cloud Director

PCD enforces multi-tenancy through three core identity constructs:

1. Domains – The highest level of separation, typically representing different business units (e.g., HR, Finance, Engineering). Each domain has its own authentication policies and security boundaries.
2. Tenants – Isolated resource pools within domains, ensuring teams or applications operate independently while maintaining centralized governance.
3. Regions – Geographical or compliance-driven separations for high availability and disaster recovery planning.

You have flexibility with how you choose to define your tenants. A well-structured multi-tenancy model helps you ensure:

• Clear separation of workloads – Prevents cross-tenant data exposure and accidental access.
• Resource efficiency – Enables fair distribution and prevents performance bottlenecks.
• Compliance alignment – Supports industry regulations requiring strict tenant separation.

PCD allows administrators to implement strict RBAC policies while maintaining the flexibility that you’ve grown used to in a VMware environment.

Private Cloud Director Identity Service: Access & Control

At the core of PCD multi-tenancy capabilities is its Identity Service. This service provides your user, group, role, and tenant options. PCD Identity Service will manage your authentication and authorization.

Authentication Methods Supported by PCD

• Local User Accounts – Built-in authentication managed within PCD.
• Enterprise Single Sign-On (SSO) via SAML 2.0 – Seamlessly integrates with corporate identity providers.
• LDAP Integration – Connects PCD to Active Directory (AD) for centralized identity management.

Role-Based Access Control (RBAC)

PCD enforces least-privilege access using predefined roles:

• Administrator – Full control over domains, tenants, and infrastructure.
• Self-Service User  – Permissions are limited to what has been granted in the tenant.
• Read Only User – Can view configurations but cannot make changes.

Example: Assigning Role-Based Access in PCD

A DevOps engineer needs access to both the Development and QA tenants. To assign scoped permissions:

1. Navigate to Identity & Access Control in the PCD dashboard.
   
2. Select the user and assign the necessary tenant roles.
   
3. Verify that the assigned permissions prevent unauthorized access.

We designed PCD identity management to be intuitive while making sure that you get comprehensive access control you need. It’s about making every part of the workflow smoother to reduce the friction to getting applications deployed.

Multi-Tenancy Use Case: Enterprise Departmental Cloud

Let’s run through a quick scenario. You are the administrator for a global enterprise that needs to isolate workloads across HR, Finance, and Engineering.

PCD provides a straightforward way for you to get the logical isolation and organization you need.

Step 1: Define Domains & Tenants

• HR Tenant – Restricted to HR personnel, ensuring employee data remains secure.
• Finance Tenant – Dedicated to financial applications, preventing unauthorized access.
• Engineering Tenant – A sandbox for developers to test and deploy without impacting production.

Step 2: Assign Users & Teams with Role-Based Access

• HR users access only HR workloads.
• Finance teams control financial applications without interfering with Engineering.
• Engineers operate within an isolated environment.

Here is an example of creating a tenant and assigning access with PCD Identity Service:

Step 3: Enforce Security & Compliance Policies

• RBAC – Ensures users can only access assigned tenants with built-in and customizable roles.
• SAML 2.0 SSO – Strengthens authentication consistency and integrates to your enterprise directory service.
• Network Segmentation – Prevents unauthorized cross-tenant traffic and maintains logical separation of resources.

Identity Service provides you with a cloud tenancy model with enterprise authentication integration so you can scale your private cloud while maintaining compliance, security, and control.

Additional PCD Identity Capabilities

Beyond tenant isolation, PCD offers granular controls to enhance security and governance. Some of the key capabilities that you gain include:

• Federated Authentication (SAML 2.0) – Automates user provisioning across multi-cloud environments.
• Built-in Network Segmentation – Ensures strict tenant traffic isolation.
• Quotas & Limits – Prevents resource monopolization by any single tenant.
• Comprehensive Auditing – Tracks all tenant activities and API interactions for compliance.

Now you have a truly self-service capability to give your developers easy access to spin up and tear down their own machines from the image library. Because of the design, you also get granular control over who can launch which instances, and where. This makes self-service possible while keeping risks low for managing resources automatically.

Unlocking Multi-Tenancy for VMware Users

Private Cloud Director (PCD) was built to provide a simple, flexible, and cost-effective private cloud. The goal is to extend capabilities while also  providing a familiar experience for folks who are coming from VMware. There are also many features you’ve not had before with VMware vSphere and vCenter, like true cloud-native multi-tenancy.

• A familiar VMware-aligned structure (Domains = vCenters, Tenants = Folders)
• Enterprise-ready identity and access management
• Seamless tenant isolation and workload segmentation

PCD empowers IT teams to modernize your infrastructure while maintaining the control and efficiency you expect.

Want to experience the benefits of multi-tenancy with PCD? Start your journey today. 

• Author
• Recent Posts

Damian Karlson

Technical Marketing & Community Engagement at Platform9

Damian leads technical product marketing and community engagement for Private Cloud Director & vJailbreak. Prior to joining Platform9, he had many years at VMware, EMC, and Dell focused on delivering powerful cloud solutions & services.

Latest posts by Damian Karlson (see all)

• From VMware to Private Cloud Director: Mastering Multi-Tenancy with Identity and Domains - March 11, 2025
• Private Cloud Director: DNSaaS & LBaaS - March 10, 2025