Multitenant environment

Multitenancy allows system administrators to isolate groups of users, such as organizations or departments, hosted by the Hybrid Data Pipeline service. The system administrator maintains a physical instance of Hybrid Data Pipeline, while each tenant (group of users) is provided with its own logical instance of the service. To create a multitenant environment, the system administrator creates child tenants in the default system tenant. The system administrator can then proceed with setting up administrative and support structures for maintaining the Hybrid Data Pipeline environment. The administration of tenants follows two general patterns: system-level administration and tenant-level administration.

In system-level administration, a system administrator may want to delegate or share user provisioning and other administrative tasks with a tenant administrator who can manage user accounts and enable supported features across multiple tenants. In this instance, the system administrator creates tenant administrators in the system tenant with user management permissions and administrative access to the tenants they will manage. These tenant administrators are able to manage users, data sources, and other resources across multiple tenants.

In tenant-level administration, the system administrator delegates user provisioning and other administrative tasks to tenant administrators who belong to one of many tenants. For example, a Hybrid Data Pipeline provider may host several external organizations where it is appropriate for the organizations themselves to provision users and administer data access. In this scenario, the system administrator would create tenant administrators who reside in the tenants they administer, thus isolating administrative tasks such as user provisioning from one tenant to another. For tenant-level administration, tenant administrators must have administrative access to the tenants in which they reside, as well as user management and other permissions as needed.

Note that system-level and tenant-level administration are not mutually exclusive. For example, a system administrator might want to delegate and isolate the administration of tenants, but also provision support personnel to work with resources across multiple tenants.