Tenant¶
A Tenant groups Users and DRP objects together for
multi-tenancy. Tenants are a licensed feature requiring the rbac
license entitlement; without it, tenants can only be listed and retrieved.
Tenants partition the DRP object space between organizational boundaries.
The Members map defines which objects belong to the Tenant, keyed by
object type (for example machines, profiles) with each value being a
list of object keys. The Users list identifies the Users
that participate in this Tenant.
Object visibility restrictions based on a Tenant are processed before Role checks. This means that even if a Role grants access to an object, the object will be invisible to users who belong to a Tenant that does not include it in its Members map.
By default, Users are not members of any Tenant and can therefore potentially see all objects via the API, subject to Role-based restrictions. Assigning a User to a Tenant narrows their view to only the objects listed in that Tenant's Members.
| Field | Definition |
|---|---|
| Description | Description is a string for providing a simple description |
| Documentation | Documentation is a string for providing additional in depth information. |
| Members | Members is a map of objects in this tenant. The key of the map is the name of the object. e.g. machines The value of the map is a list of object keys. |
| Meta | Meta contains the meta data of the object. The type of this field is a key / value map/dictionary. The key type is string. The value type is also string. The general content of the field is undefined and can be an arbritary store. There are some common known keys: color - The color the UX uses when displaying icon - The icon the UX uses when displaying * title - The UX uses this for additional display information. Often the source of the object. Specific Object types use additional meta data fields. These are described at: https://docs.rackn.io/stable/redirect/?ref=rs_object_metadata |
| Name | Name is the name of the tenant |
| Users | Users is a list of users that can participate in this tenant. |
Object visibility restrictions based on a tenant are processed before roles are processsed, which means that a role granting access to an object that is not allowed by the tenant will be ignored.
By default, users are not members of a tenant, and can therefore potentially see everything via the API (subject to role based restrictions).