Tenant architectures

A Hybrid Data Pipeline system administrator can develop either a single-tenant or multitenant architecture. In a single-tenant architecture, the system administrator creates user accounts in the default system tenant. In a multitenant architecture, the system administrator first creates one or more child tenants in the default system tenant. Then, the system administrator can create user accounts in either the system tenant or any one of the child tenants. The user accounts that reside in one tenant are isolated from those in other tenants.

When establishing a tenant architecture, the system administrator should consider the roles users and other administrators will assume in the Hybrid Data Pipeline environment. As detailed in Permissions and default roles, Hybrid Data Pipeline provides three default roles: System Administrator, Tenant Administrator, and User. These roles can be used in either a single-tenant or multitenant architecture. In the context of these roles, the system administrator has full permissions and administrative access across the system, while the tenant administrator can assume responsibility for provisioning and managing user accounts in tenants for which he or she has administrative access.

Important: To administer user accounts and other resources that belong to a tenant, a tenant administrator must be given explicit administrative access to the given tenant. In the Web UI, administrative access to a tenant can be granted by editing a user account via the Manage Users view. With the API, administrative access can be granted either by updating the tenants administered for a user via the Users API or by updating the list of administrators for a tenant via the Tenant API.

The following topics describe single-tenant and multitenant architectures in greater detail, including how administrative roles can be applied in each.