Skip to content

Tenant

Tenants provide multi-tenancy isolation within a single DRP endpoint. A Tenant groups a set of users with a scoped view of DRP objects — each tenant's users can only see and act on the objects explicitly included in that tenant. Tenants are an enterprise feature and require a license that enables multi-tenancy.

What a Tenant Contains

A Tenant object has three key fields:

  • Name — The unique identifier for the tenant.
  • Members — A map of object type names (e.g., machines, profiles, bootenvs) to lists of object keys. Only the listed objects are visible to tenant users.
  • Users — A list of DRP user names who belong to this tenant. These users see only the objects in the tenant's Members map.

A user can belong to multiple tenants. When a user is a member of more than one tenant, their visible object set is the union of all tenant memberships.

Creating a Tenant

Bash
drpcli tenants create '{
  "Name": "team-alpha",
  "Members": {
    "machines": ["machine-uuid-1", "machine-uuid-2"],
    "profiles": ["alpha-profile"],
    "bootenvs": ["ubuntu-22.04"]
  },
  "Users": ["alice", "bob"]
}'

Managing Tenant Membership

Add or remove machines and other objects from a tenant by updating the Members map:

Bash
# Add a machine to the tenant
drpcli tenants update Name:team-alpha '{"Members": {"machines": ["machine-uuid-1", "machine-uuid-2", "machine-uuid-3"]}}'

# Add a user to the tenant
drpcli tenants update Name:team-alpha '{"Users": ["alice", "bob", "carol"]}'

Only objects whose type names match a known DRP object prefix are valid Members keys. Attempting to add an invalid type name causes a validation error.

Tenants and Roles

Tenants narrow the set of objects a user can see; Roles control what actions a user can perform on those objects. Both must be configured together for effective multi-tenancy. A tenant user with a machine-reader role can only read the specific machines listed in their tenant's Members map — they cannot see machines belonging to other tenants, regardless of role.

Listing and Inspecting Tenants

Bash
drpcli tenants list
drpcli tenants get Name:team-alpha
drpcli tenants destroy Name:team-alpha

Administrators (users with the superuser role and no tenant restrictions) can always see all objects on the endpoint regardless of tenant configuration.