skip to main content
Administering Hybrid Data Pipeline : Tenant architectures : Multitenant environment : Setting up a multitenant environment with tenant-level administration : Using the APIs to set up a multitenant environment with tenant-level administration
  

Try Now
Using the APIs to set up a multitenant environment with tenant-level administration
The following operations show how you can set up a multitenant environment with tenant-level administration using Hybrid Data Pipeline APIs.
*Creating tenants with the Tenant API
*Retrieving roles with the Roles API
*Provisioning a tenant user with the Tenant Administrator role
*Granting administrative access to the tenant with the Users API
*Granting administrative access to the tenant with the Tenant API
*Setting system configurations and limits
*Setting tenant limits
*Creating users and roles at the tenant level

Creating tenants with the Tenant API

In this example, a system administrator creates the following tenants with the Tenant API: OrgA, OrgB, and OrgC. The default User (2) and Tenant Administrator (3) roles are being imported from the system tenant. As the system tenants are created, the imported roles becomes unique and are given a new IDs.
Request to create OrgA
POST https://MyServer:8443/api/admin/tenants
Request Payload
{
"name": "OrgA",
"description": "This is the HDP tenant for organization A.",
"parentTenant": 1,
"status": 1,
"importedRoles": [
2,
3
]
}
Response Payload
{
"id": 71,
"name": "OrgA",
"description": "This is the HDP tenant for organization A.",
"parentTenant": 1,
"status": 1,
"roles": [
103,
104
]
}
Request to create OrgB
POST https://MyServer:8443/api/admin/tenants
Request Payload
{
"name": "OrgB",
"description": "This is the HDP tenant for organization B.",
"parentTenant": 1,
"status": 1,
"importedRoles": [
2,
3
]
}
Response Payload
{
"id": 72,
"name": "OrgA",
"description": "This is the HDP tenant for organization A.",
"parentTenant": 1,
"status": 1,
"roles": [
105,
106
]
}
Request
POST https://MyServer:8443/api/admin/tenants
Request Payload to create OrgC
{
"name": "OrgC",
"description": "This is the HDP tenant for organization C.",
"parentTenant": 1,
"status": 1,
"importedRoles": [
2,
3
]
}
Response Payload
{
"id": 73,
"name": "OrgC",
"description": "This is the HDP tenant for organization C.",
"parentTenant": 1,
"status": 1,
"roles": [
107,
108
]
}

Retrieving roles with the Roles API

The system administrator must have the role ID to create a user with the Tenant Administrator role. The following GET operation retrieves the roles across the system.
Request
GET https://MyServer:8443/api/admin/roles
Note: The ?tenantID=<tenant_id> and ?tenantName=<tenant_name> query parameters can be appended to the URL to limit the roles returned to a specific tenant.
Response Payload
The first three roles in the payload are roles tied to the system tenant ("tenantId": 1). The remaining roles are the User and Tenant Administrator roles copied to the new tenants.
{
"roles": [
{
"id": 1,
"name": "System Administrator",
"tenantId": 1,
"description": "This role has all permissions. This role cannot be
modified or deleted."
},
{
"id": 2,
"name": "User",
"tenantId": 1,
"description": "This role has the default permissions that a normal
user will be expected to have."
},
{
"id": 3,
"name": "Tenant Administrator",
"tenantId": 1,
"description": "This role has all the tenant administrator permissions."
},
{
"id": 103,
"name": "User",
"tenantId": 71,
"description": "This role has the default permissions that a normal user
will be expected to have."
},
{
"id": 104,
"name": "Tenant Administrator",
"tenantId": 71,
"description": "This role has all the tenant administrator permissions."
},
{
"id": 105,
"name": "User",
"tenantId": 72,
"description": "This role has the default permissions that a normal user
will be expected to have."
},
{
"id": 106,
"name": "Tenant Administrator",
"tenantId": 72,
"description": "This role has all the tenant administrator permissions."
},
{
"id": 107,
"name": "User",
"tenantId": 73,
"description": "This role has the default permissions that a normal user
will be expected to have."
},
{
"id": 108,
"name": "Tenant Administrator",
"tenantId": 73,
"description": "This role has all the tenant administrator permissions."
}
]
}

Provisioning a tenant user with the Tenant Administrator role

With the following User API operation, the system administrator creates a user in the OrgA tenant (71) with the Tenant Administrator role. The tenant administrator must then be given administrative access to the tenant either through the Users API or the Tenant API, as described below.
Request
POST https://MyServer:8443/api/admin/users
Request Payload
{
"userName": "OrgAAdmin",
"tenantId": 71,
"statusInfo": {
"status": 1,
"accountLocked": false
},
"passwordInfo": {
"password": "TempWord",
"passwordStatus": 1,
"passwordExpiration": null
},
"permissions": {
"roles": [
103,
104
]
}
}
Response Payload
{
"id": 2001,
"userName": "OrgAAdmin",
"tenantId": 71,
"statusInfo": {
"status": 1,
"accountLocked": false
},
"passwordInfo": {
"passwordStatus": 1,
"passwordExpiration": null
},
"permissions": {
"roles": [
103,
104
]
},
"authenticationInfo": {
"authUsers": [
{
"authUserName": "OrgAAdmin",
"authServiceId": 1
}
]
}
}

Granting administrative access to the tenant with the Users API

In addition to user management permissions, a tenant administrator must be granted administrative access to the tenant. This can be done either through the Users API or the Tenant API. The following Users API request grants user account 2001 administrative access to the OrgA tenant (71).
Request
PUT https://MyServer:8443/api/admin/users/2001/tenantsadministered
Request Payload
{
"tenantsAdministered": [
71
]
}
Response Payload
{
"tenantsAdministered": [
71
]
}

Granting administrative access to the tenant with the Tenant API

In addition to user management permissions, a tenant administrator must be granted administrative access to the tenant. This can be done either through the Users API or the Tenant API. The following Tenant API request adds user account 2001 to the list of administrators who can administer the OrgA tenant (71).
PUT https://MyServer:8443/api/admin/tenants/71
Request Payload
{
"admins": [
391,
502,
2001
]
}
Response Payload
{
"admins": [
391,
502,
2001
]
}

Setting system configurations and limits

Setting a system configuration
The following PUT operation disables IP address whitelists across all tenants. The number 8 is the ID of the IP address whitelist feature.
PUT https://MyServer:8443/api/admin/configurations/8
{
"value":"false"
}
Setting a system limit
The following POST creates a limit of 50000 concurrent OData queries across all tenants. The number 6 is the ID of the ODataMaxConcurrentQueries limit. The payload passes 50000 as the value for this limit.
POST https://MyServer:8443/api/admin/limits/system/6
{
"value": 50000
}

Setting tenant limits

The following POST creates a limit of 10000 concurrent OData queries on the OrgA tenant. The number 71 is the ID of OrgA, and the number 6 is the ID of the ODataMaxConcurrentQueries limit. This tenant limit will override the system limit.
POST https://MyServer:8443/api/admin/limits/tenants/71/6
{
"value": 10000
}

Creating users and roles at the tenant level

The new tenant administrator (OrgAAdmin) can now provision users and create roles for the OrgA tenant (71). The first request creates a new user in OrgA. The second request creates a new role in OrgA.
Request
POST https://MyServer:8443/api/admin/users
Request Payload
{
"userName": "OrgAUser1",
"tenantId": 71,
"statusInfo": {
"status": 1,
"accountLocked": false
},
"passwordInfo": {
"password": "TempWord",
"passwordStatus": 1,
"passwordExpiration": null
},
"permissions": {
"roles": [
104
]
}
}
Response Payload
{
"id": 3222,
"userName": "OrgAUser1",
"tenantId": 71,
"statusInfo": {
"status": 1,
"accountLocked": false
},
"passwordInfo": {
"passwordStatus": 1,
"passwordExpiration": null
},
"permissions": {
"roles": [
104
]
},
"authenticationInfo": {
"authUsers": [
{
"authUserName": "OrgAUser1",
"authServiceId": 1
}
]
}
}
With the following POST request, a new role is created in the OrgA tenant for OData-only access to data sources. No user is specified in this example, but a user can subsequently be assigned the new role either through the Roles API or the Users API.
Request
POST https://MyServer:8443/api/admin/roles
Request Payload
{
"name": "ODataOnly",
"tenantId": 71,
"description": "This role allows only OData access.",
"permissions": [7],
"users": []
}
Response Payload
{
"id": 311,
"name": "ODataOnly",
"tenantId": 71,
"description": "This role allows only OData access.",
"permissions": [
7
],
"users": []
}