Adaxes and multi-tenancy

Question

Hi,

I have a couple of questions, but first I'd like to describe the use case: let's say, there is a domain demo.com. There are 2 organizations/groups/whatever Alfa and Bravo there. I would like Alfa users to see Alfa organization only, the same for Bravo - the users of Bravo organization should see Bravo only. Long story short - I need strict borders between tenants.

So my question is: is it possible to set up a multi-tenancy with the help of Adaxes within a single AD domain? Multiple domains?

Thanks in advance!

Answer 1

Hello Alex,

Yes, sure. For this purpose, you can make use of Adaxes Business Units. Business Units are virtual collections of AD objects grouped together based on a certain principle. Using Business Units, you can group objects based on the logged in user. For example, a Business Unit can include all objects whose company, job title, department etc is the same as the company, job title or department of the logged in user. Or, a Business Unit can include members of a group or children of an OU containing the user's company in its name etc. Thus, you can create a Business Unit that will hold, for each user, only objects that belong to the same organization/tenant.

Then, using Adaxes Security Roles, you can define that users can view only objects that are members of the Business Unit. Since the Business Unit contains only users from the same organization as the logged in user, each user will be able to view only objects that belong to their organization.

This method will work no matter whether the tenants are located in a single domain or spread among multiple domains.

For this purpose, you need to:

1. Create a Business Unit that holds objects from the same organization as the logged in user. For information on how to create it, see the following tutorial: Group AD Objects Based on Logged In User.
2. Delete the default assignment of the Domain User Security Role that allows all users to view all objects by default.
3. Assign the Domain User role to allow users to view only objects from their own organization..

To change the assignments of the Domain User role:

1. Launch Adaxes Administration Console.
2. Select the Domain User role in the Console Tree.
3. Right-click the default assignment item (Authenticated Users over All Objects) and select Delete.
   
4. Right-click the Assignments section and click Add Assignment.
   
5. Select Authenticated Users and click OK.
   
6. Select the Business Units item in the Look in drop-down list.
7. Select the Business Unit you created and click Add.
   
8. Select the Members of this Business Unit and This Business Unit object options.
   
9. Click OK 2 times, and then save the changes.