skip to main content
Administering Hybrid Data Pipeline : Tenant architectures : Single-tenant environment
  

Try Now

Single-tenant environment

Tenancy is mostly transparent in a single-tenant environment where user accounts may reside only in the default system tenant. However, support for multitenancy introduced tenant and elevated permissions as detailed in Permissions and default roles. Tenant permissions support the ability of administrators to provision and manage users, while elevated permissions support the ability of administrators to execute other administrative tasks, such as throttling and logging. By granting such permissions to other users, the system administrator can delegate administrative tasks and responsibilities. The following examples show how a user can be promoted to a tenant administrator using the Roles and Users APIs in a single-tenant environment.
*Retrieving valid roles in the system tenant
*Create a user with the Tenant Administrator role
*Grant the administrator user administrative access to the system tenant
*Create a new role with tenant and elevated permissions
*Assign the new role to the administrator user

Retrieving valid roles in the system tenant

The following GET operation retrieves the valid roles and their IDs for the system tenant in a single-tenant environment. Role IDs can then be used to assign roles to users.
Request
GET https://MyServer:8443/api/admin/roles
Response Payload
{
"roles": [
{
"id": 1,
"name": "System Administrator",
"tenantId": 1,
"description": "This role has all permissions. This role cannot be
modified or deleted."
},
{
"id": 2,
"name": "User",
"tenantId": 1,
"description": "This role has the default permissions that a normal
user will be expected to have."
},
{
"id": 3,
"name": "Tenant Administrator",
"tenantId": 1,
"description": "This role has all the tenant administrator
permissions."
}
]
}

Create a user with the Tenant Administrator role

The ID for the Tenant Administrator role (3) can then be used to create a user with the Tenant Administrator role, as shown in the following POST operation. The user inherits the permissions associated with this role.
Request
POST https://MyServer:8443/api/admin/users
Request Payload
{
"userName": "TenantAdmin",
"statusInfo": {
"status": 1,
"accountLocked": false
},
"passwordInfo": {
"password": "<password>",
"passwordStatus": 1,
"passwordExpiration": "2020-01-01 00:00:00"
},
"permissions": {
"roles": [
3
]
}
}
Response Payload
{
"id": 87,
"userName": "TenantAdmin",
"tenantId": 1,
"tenantName": "Root",
"statusInfo": {
"status": 1,
"accountLocked": false
},
"passwordInfo": {
"passwordStatus": 1,
"passwordExpiration": "2020-01-01 00:00:00.0"
},
"permissions": {
"roles": [
3
]
},
"authenticationInfo": {
"authUsers": [
{
"authUserName": "TenantAdmin",
"authServiceId": 1
}
]
}
}

Grant the administrator user administrative access to the system tenant

In addition to being granted the Tenant Administrator role, the tenant administrator must be granted administrative access to the system tenant. The following Users API request grants user account 87 administrative access to the system tenant.
Note: Administrative access to the system tenant can also be managed by updating the list of administrators via the Tenant API.
Request
PUT https://MyServer:8443/api/admin/users/87/tenantsadministered
Request Payload
{
"tenantsAdministered": [
1
]
}
Response Payload
{
"tenantsAdministered": [
1
]
}

Create a new role with tenant and elevated permissions

The following POST request creates the new Tenant Admin Plus role. The new role has all user and tenant permissions plus the Logging (24), Limits (27), and OAuth (28) permissions.
Request
POST https://MyServer:8443/api/admin/roles
Request Payload
{
"name": "Tenant Admin Plus",
"description": "This role has all the tenant administrator permissions plus
elevated permissions.",
"permissions": [
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
13,
14,
15,
16,
17,
18,
19,
20,
21,
24,
27,
28
],
"users": []
}
Response Payload
{
"id": 42,
"name": "Tenant Admin Plus",
"description": "This role has all the tenant administrator permissions plus
elevated permissions.",
"permissions": [
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
13,
14,
15,
16,
17,
18,
19,
20,
21,
24,
27,
28
],
"users": []
}

Assign the new role to the administrator user

The following PUT assigns the new Tenant Admin Plus role to the administrator user. The user inherits the permissions associated with this role. Note that the ID of the Tenant Admin Plus role (42) was provided in the response payload when the role was created. Also, note that any existing roles and permissions are removed by this operation.
Request
PUT https://MyServer:8443/api/admin/users/87/permissions
Request Payload
{
"roles": [42],
"permissions": []
}
Response Payload
{
"roles": [42]
}