skip to main content
Administering Hybrid Data Pipeline : Tenant architectures : Multitenant environment

Try Now

Multitenant environment

Multitenancy allows a system administrator to isolate groups of users, such as organizations or departments, that are being hosted through the Hybrid Data Pipeline service. The provider maintains a physical instance of Hybrid Data Pipeline, while each tenant (group of users) is provided with its own logical instance of the service. In a multitenant environment, the default system tenant contains multiple child tenants. The user accounts that reside in one tenant are isolated from those in other tenants.
Tenants can be administered either by administrators who reside in the system tenant, or by administrators who reside in a child tenant. While the administration of tenants is based on user provisioning, there are a number of features that can be used in the administration of tenants. These include:
*Integrating LDAP authentication
*Integrating Java plugin authentication
*Row limit throttling
*OData query throttling
*Integrating Hybrid Data Pipeline with a Google OAuth 2.0 authorization flow to access Google Analytics
*Restricting access with IP whitelists
As detailed in Permissions and default roles, each of these features has corresponding permissions. Therefore, system administrators who want to delegate tasks related to these features should assign these permissions as needed to tenant administrators.
Important: To administer user accounts and other resources that belong to a tenant, a tenant administrator must be given explicit administrative access to the given tenant. Administrative access to a tenant can be granted either by updating the list of administrators for a tenant via the Tenant API or by updating the tenants administered for a user via the Users API.
The administration of tenants follows two general patterns. First, a system administrator might want to create an administrator who can manage users, data sources, and other resources across multiple tenants. In this case, the system administrator would create a user account in the default system tenant with user management permissions and then grant administrative access to the user account for the tenants the user will manage. Second, a system administrator might want to isolate user provisioning and management tasks such that these tasks are administered at the tenant level as opposed to the system level. In this case, the system administrator would create a user account with user management permissions in each tenant. Then, each user account would be granted administrative access for the tenant in which it resides. These tenant administrators would be responsible for administering the tenants to which they belonged. They could not administer other tenants in the system. These two patterns are not mutually exclusive. For example, a system administrator might want to delegate and isolate the administration of tenants, but also provision support personnel to work with resources across multiple tenants.
The following topics provide information on creating tenants and provisioning users to administer these tenants.
* System-level tenant administration
* Tenant-level tenant administration