Data Management : Multi-tenant ABL : Coding for super-tenant access
Coding for super-tenant access
A super-tenant user (super tenant, in short) has access to all the data of a multi-tenant database, including all tenant and shared data, according to the data authorization provided by the user's permission settings. Super-tenant access is enabled by configuring the user's security domain with the name of a super tenant. Data authorization settings work the same as for any multi-tenant database user, with permissions for individual tables and fields set based on the user and domain name.
A super tenant has no real tenancy of its own, but always has the effective tenancy of a regular tenant. The initial tenancy of any super-tenant user is the default tenant. So, when initially logged in, a super-tenant user has implicit access to both default tenant and shared database objects. To support super-tenant access to multi-tenant database objects, ABL provides features to allow a super tenant to query and update database objects that belong to one or more of the regular tenants defined in the database. In addition, ABL allows a super tenant to identify the tenant and tenant group (if any) to which any given multi-tenant database record belongs.
These features, taken together, allow a super tenant to perform any run-time action on database objects, regardless of tenancy, and limited only by the data authorization permissions that are defined for a given super-tenant user. For example, if the super-tenant user identity has only can-read permissions on a given multi-tenant table, the super tenant can read instances of the table owned by all tenants, but cannot update any instances of the table.
The following sections provide an overview of OpenEdge super tenant capabilities in ABL.