skip to main content
Administering Hybrid Data Pipeline : Tenant architectures : Multitenant environment : Tenant-level tenant administration
  

Try Now
Tenant-level tenant administration
A system administrator may want to delegate user provisioning and other administrative tasks to tenant administrators who belong to one of many tenants. For example, a Hybrid Data Pipeline provider may host several external organizations where it is appropriate for the organizations themselves to provision users and administer data access. In this scenario, a system administrator can provision users from within tenants to manage the tenants, as opposed to provisioning users in the system tenant to manage the tenants of external organizations. The following operations show how to set up a multitenant environment where tenants are administered by users who belong to their respective tenants.
Note: The administration of tenants either from the system tenant or from within a tenant itself is not mutually exclusive. For example, a system administrator might want to delegate and isolate the administration of tenants, but also provision support personnel to work with resources across multiple tenants.
*Creating tenants with the Tenant API
*Retrieving roles with the Roles API
*Provisioning a tenant user with the Tenant Administrator role
*Granting administrative access to the tenant with the Users API
*Granting administrative access to the tenant with the Tenant API
*Creating users and roles at the tenant level

Creating tenants with the Tenant API

In this example, a system administrator creates the following tenants with the Tenant API: OrgA, OrgB, and OrgC. The default User (2) and Tenant Administrator (3) roles are being imported from the system tenant. As the system tenants are created, the imported roles becomes unique and are given a new IDs.
Request to create OrgA
POST https://MyServer:8443/api/admin/tenants
Request Payload
{
"name": "OrgA",
"description": "This is the HDP tenant for organization A.",
"parentTenant": 1,
"status": 1,
"importedRoles": [
2,
3
]
}
Response Payload
{
"id": 71,
"name": "OrgA",
"description": "This is the HDP tenant for organization A.",
"parentTenant": 1,
"status": 1,
"roles": [
103,
104
]
}
Request to create OrgB
POST https://MyServer:8443/api/admin/tenants
Request Payload
{
"name": "OrgB",
"description": "This is the HDP tenant for organization B.",
"parentTenant": 1,
"status": 1,
"importedRoles": [
2,
3
]
}
Response Payload
{
"id": 72,
"name": "OrgA",
"description": "This is the HDP tenant for organization A.",
"parentTenant": 1,
"status": 1,
"roles": [
105,
106
]
}
Request
POST https://MyServer:8443/api/admin/tenants
Request Payload to create OrgC
{
"name": "OrgC",
"description": "This is the HDP tenant for organization C.",
"parentTenant": 1,
"status": 1,
"importedRoles": [
2,
3
]
}
Response Payload
{
"id": 73,
"name": "OrgC",
"description": "This is the HDP tenant for organization C.",
"parentTenant": 1,
"status": 1,
"roles": [
107,
108
]
}

Retrieving roles with the Roles API

The system administrator must have the role ID to create a user with the Tenant Administrator role. The following GET operation retrieves the roles across the system.
Request
GET https://MyServer:8443/api/admin/roles
Note: The ?tenantID=<tenant_id> and ?tenantName=<tenant_name> query parameters can be appended to the URL to limit the roles returned to a specific tenant.
Response Payload
The first three roles in the payload are roles tied to the system tenant ("tenantId": 1). The remaining roles are the User and Tenant Administrator roles copied to the new tenants.
{
"roles": [
{
"id": 1,
"name": "System Administrator",
"tenantId": 1,
"description": "This role has all permissions. This role cannot be
modified or deleted."
},
{
"id": 2,
"name": "User",
"tenantId": 1,
"description": "This role has the default permissions that a normal
user will be expected to have."
},
{
"id": 3,
"name": "Tenant Administrator",
"tenantId": 1,
"description": "This role has all the tenant administrator permissions."
},
{
"id": 103,
"name": "User",
"tenantId": 71,
"description": "This role has the default permissions that a normal user
will be expected to have."
},
{
"id": 104,
"name": "Tenant Administrator",
"tenantId": 71,
"description": "This role has all the tenant administrator permissions."
},
{
"id": 105,
"name": "User",
"tenantId": 72,
"description": "This role has the default permissions that a normal user
will be expected to have."
},
{
"id": 106,
"name": "Tenant Administrator",
"tenantId": 72,
"description": "This role has all the tenant administrator permissions."
},
{
"id": 107,
"name": "User",
"tenantId": 73,
"description": "This role has the default permissions that a normal user
will be expected to have."
},
{
"id": 108,
"name": "Tenant Administrator",
"tenantId": 73,
"description": "This role has all the tenant administrator permissions."
}
]
}

Provisioning a tenant user with the Tenant Administrator role

With the following User API operation, the system administrator creates a user in the OrgA tenant (71) with the Tenant Administrator role. The tenant administrator must then be given administrative access to the tenant either through the Users API or the Tenant API, as described below.
Request
POST https://MyServer:8443/api/admin/users
Request Payload
{
"userName": "OrgAAdmin",
"tenantId": 71,
"statusInfo": {
"status": 1,
"accountLocked": false
},
"passwordInfo": {
"password": "TempWord",
"passwordStatus": 1,
"passwordExpiration": null
},
"permissions": {
"roles": [
103,
104
]
}
}
Response Payload
{
"id": 2001,
"userName": "OrgAAdmin",
"tenantId": 71,
"statusInfo": {
"status": 1,
"accountLocked": false
},
"passwordInfo": {
"passwordStatus": 1,
"passwordExpiration": null
},
"permissions": {
"roles": [
103,
104
]
},
"authenticationInfo": {
"authUsers": [
{
"authUserName": "OrgAAdmin",
"authServiceId": 1
}
]
}
}

Granting administrative access to the tenant with the Users API

In addition to user management permissions, a tenant administrator must be granted administrative access to the tenant. This can be done either through the Users API or the Tenant API. The following Users API request grants user account 2001 administrative access to the OrgA tenant (71).
Request
PUT https://MyServer:8443/api/admin/users/2001/tenantsadministered
Request Payload
{
"tenantsAdministered": [
71
]
}
Response Payload
{
"tenantsAdministered": [
71
]
}

Granting administrative access to the tenant with the Tenant API

In addition to user management permissions, a tenant administrator must be granted administrative access to the tenant. This can be done either through the Users API or the Tenant API. The following Tenant API request adds user account 2001 to the list of administrators who can administer the OrgA tenant (71).
PUT https://MyServer:8443/api/admin/tenants/71
Request Payload
{
"admins": [
391,
502,
2001
]
}
Response Payload
{
"admins": [
391,
502,
2001
]
}

Creating users and roles at the tenant level

The new tenant administrator (OrgAAdmin) can now provision users and create roles for the OrgA tenant (71). The first request creates a new user in OrgA. The second request creates a new role in OrgA.
Request
POST https://MyServer:8443/api/admin/users
Request Payload
{
"userName": "OrgAUser1",
"tenantId": 71,
"statusInfo": {
"status": 1,
"accountLocked": false
},
"passwordInfo": {
"password": "TempWord",
"passwordStatus": 1,
"passwordExpiration": null
},
"permissions": {
"roles": [
104
]
}
}
Response Payload
{
"id": 3222,
"userName": "OrgAUser1",
"tenantId": 71,
"statusInfo": {
"status": 1,
"accountLocked": false
},
"passwordInfo": {
"passwordStatus": 1,
"passwordExpiration": null
},
"permissions": {
"roles": [
104
]
},
"authenticationInfo": {
"authUsers": [
{
"authUserName": "OrgAUser1",
"authServiceId": 1
}
]
}
}
With the following POST request, a new role is created in the OrgA tenant for OData-only access to data sources. No user is specified in this example, but a user can subsequently be assigned the new role either through the Roles API or the Users API.
Request
POST https://MyServer:8443/api/admin/roles
Request Payload
{
"name": "ODataOnly",
"tenantId": 71,
"description": "This role allows only OData access.",
"permissions": [7],
"users": []
}
Response Payload
{
"id": 311,
"name": "ODataOnly",
"tenantId": 71,
"description": "This role allows only OData access.",
"permissions": [
7
],
"users": []
}