Introduction to Team Access Control for Azure Pack

Team Access Control is a new third-party Resource Provider for Azure Pack. Along with UR5 for Azure Pack this resource provider is now available trough the Web Platform Installer.

This blogs aims at giving you initial look at the installation and configuration of this Resource Provider and what it offers. The Resource Provider is a paid solution and this blog post does not aim at marketing and selling it.

So let’s get started. As I’ve said it is available at Web Platform installer and after you install Web PI you can easily get the setup with simple commands. Web PI has command line tool with which we can get all solutions available for install/download:

webpicmd.exe /list /listOption:all

Searching trough the list we find the RP and we can download the setup with simple command:

webpicmd.exe /offline /Products:TAC_WAP_Extensions /Path:D:\WAP

When the command finishes we have the setup itself:

We can copy that setup to our WAP server and install it. In my example I have one WAP server with all web sites/roles install on it so I will install all web sites / roles of TAC RP on the WAP server. The RP itself support installing the different web sites on different servers so you can have more distributed and production deployment. There is a guide with instructions which I will reference later.

So let’s start the setup on our WAP server:

I select all roles for install:

When the installation finishes we can logon to the Azure Pack Admin Portal and check the RP:

There on the first page you will find instructions how to configure it like very other RP.

First step will open a link to a PDF guide. There you will find information on how to do the configuration in different scenarios. I will do the configuration myself and will let you know for any caveats you may stumble upon.

The configuration is simple and basically consists of one command that you will need to execute. The command will change the configuration of the web service for TAC RP and connect the web service to your SQL server that you use for WAP databases. TAC RP has a database on its own that you will need to host. As the DB is not resource intensive you can safely located along with WAP databases. To execute that configuration command you will need to generate random passwords and encryption key. To ease this TAC RP has a command that you can execute and that command will generate such keys for you that you can later store on safe location.

You need to start PowerShell in admin mode on the WAP server where TAC RP is installed and navigate to the TAC RP installation folder. Than you can execute the following command:

.\TACConfig.exe –action:genkeys

The keys are generated along with the actual parameters that are needed for the configuration command. Keep in mind that the encryption key ends right before PS C:\Program Files\Terawe\TAC4WAPack\bin>

Now that we have those passwords we can execute the configuration command. Keep in mind that when you are copying such commands directly some symbols like – may not be copied correctly so it is good always to check them in Notepad.

.\TACConfig.exe -action:install -path:C:\inetpub\TAC4WAPack\Web.Config -apiusername:TACApiClient -tenantpublicapiurl:https://WAPServer.contoso.com:30006/ -sqlserver:WAPSQL.contoso.com -dbuserpwd:RpOJ9IwAUJhnk1QA/0CnlvDahIaG7UF8eOZ9rJDhPpw= -ap
iuserpwd:BM4z/WebcsJ5YSmHdlkxgavGx3T3h9xjrI9AeGiSWUE= -encryptkey:Hho+lGf8YviXS0+saxlOsEsqT+OUGX2lgda+liB88do=

So your –action says install. Parameter –Path is the location of the web config file for TAC RP. Parameter –apiusername can be any user you want to be created. Parameter –tenantpublicapiurl is the Tenant Public IP URL. Parameter –sqlserver is the SQL server where you want to put the DB for TAC RP. The last three parameters you can copy directly from the command that generated them.

After you run the command you should see successful message.

You can now again open Azure Pack Admin portal. In TAC RP you now can register the TAC API.

For REST API Endpoint you point where TAC RP was installed. In our case the WAP server. User Name and password are the same ones you’ve used in the configuration command.

You will see successful message when registration is successful:

After that you can start using Team Access Control Resource Provider. Let’s see simple example on how you can use it.

The goal of TAC RP is to have two groups of users. First group is Managers who have full subscription rights for VM Clouds Resource provider. Second group is members who can have less or equal access to Virtual Machines and VM Clouds Resources. And Managers can delegate access and resources to members for VM Clouds Resource Provider. Simply put Team Access Control achieves Role Based access for VM Clouds Resource Provider.

Let’s first start by creating a hosting plan for Managers group.

This hosting plan needs to have resources from VM Clouds and Team Manager.

Once plan is created let’s go and configure VM Clouds for that plan. There is nothing special in configuring VM clouds for it. Just use the configurations you usually do.

Next you need to configure Team Manager for that plan. Let’s say we will have maximum 10 teams for this plan and save it:

Now let’s create another plan for Members:

This hosting plan will be attached only to Team Member service:

This plan does not need any configuration.

Next we can make both plans public:

Now we need to create a user and subscription and assign it to the Managers plan:

Let’s also create user and subscription and assign it to Members plan:

If you go to VMM you will see that User role is created only for manager user as that user/subscription is only assigned to VM Clouds:

Now let’s login to Azure Pack Tenant portal with manager user:

Once we are logged on first thing we need to do it open
“https:// WAPserver.contoso.com:Port/publishsettings”
. When you open it browser will ask you to save a file. Save it.