Tenants are licensed features. To perform any interaction with a tenant besides listing them and getting them, you must have a license with the rbac feature enabled.

Tenants control what objects a user can see via the DRP API.

Field Description
Name The unique name of the tenant.
Users The list of Users that are in this tenant. Users can be in at most one tenant at a time.
Members The objects that are in the tenant. This field is structured as a JSON object whose keys specify the scope of the objects, and whose values are lists of object indentifiers. Access is only restricted if the scope of the object is present in the members field of the tenant. Objects whose scope is not present do not have restricted visibility.

Object visibility restrictions based on a tenant are processed before roles are processsed, which means that a role granting access to an object that is not allowed by the tenant will be ignored.

By default, users are not members of a tenant, and can therefore potentially see everything via the API (subject to role based restrictions).