A system has a virtual overlay infrastructure mapped onto physical resources for processing, storage and network communications, the virtual infrastructure having virtual entities for processing, storage and network communications. Virtual infrastructures of different users share physical resources but are isolated. Each infrastructure has its own infrastructure controller to create and configure the infrastructure. It has a user accessible part (CFC) for configuration of that user's infrastructure, and a user inaccessible part (UFC) able to access the mapping and the physical resources. This increases user control to ease system administration, while maintaining security by limiting access to the mapping.