0 votes

Hi,

I have a couple of questions, but first I'd like to describe the use case: let's say, there is a domain demo.com. There are 2 organizations/groups/whatever Alfa and Bravo there. I would like Alfa users to see Alfa organization only, the same for Bravo - the users of Bravo organization should see Bravo only. Long story short - I need strict borders between tenants.

So my question is: is it possible to set up a multi-tenancy with the help of Adaxes within a single AD domain? Multiple domains?

Thanks in advance!

by (50 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello Alex,

Yes, sure. For this purpose, you can make use of Adaxes Business Units. Business Units are virtual collections of AD objects grouped together based on a certain principle. Using Business Units, you can group objects based on the logged in user. For example, a Business Unit can include all objects whose company, job title, department etc is the same as the company, job title or department of the logged in user. Or, a Business Unit can include members of a group or children of an OU containing the user's company in its name etc. Thus, you can create a Business Unit that will hold, for each user, only objects that belong to the same organization/tenant.

Then, using Adaxes Security Roles, you can define that users can view only objects that are members of the Business Unit. Since the Business Unit contains only users from the same organization as the logged in user, each user will be able to view only objects that belong to their organization.

This method will work no matter whether the tenants are located in a single domain or spread among multiple domains.

For this purpose, you need to:

  1. Create a Business Unit that holds objects from the same organization as the logged in user. For information on how to create it, see the following tutorial: Group AD Objects Based on Logged In User.
  2. Delete the default assignment of the Domain User Security Role that allows all users to view all objects by default.
  3. Assign the Domain User role to allow users to view only objects from their own organization..

To change the assignments of the Domain User role:

  1. Launch Adaxes Administration Console.
  2. Select the Domain User role in the Console Tree.
  3. Right-click the default assignment item (Authenticated Users over All Objects) and select Delete.
  4. Right-click the Assignments section and click Add Assignment.
  5. Select Authenticated Users and click OK.
  6. Select the Business Units item in the Look in drop-down list.
  7. Select the Business Unit you created and click Add.
  8. Select the Members of this Business Unit and This Business Unit object options.
  9. Click OK 2 times, and then save the changes.

Related questions

0 votes
1 answer

Hi, We are considering your product and interested to see if it fits in our use case. Imagine a scenario where you have a niche SaaS product that runs in a self ... Can your product handle non-unique domain names and SID's and in what fashion? Thanks

asked Aug 4, 2020 by lharrisclcs (20 points)
0 votes
1 answer

Hello! I have an environment with three separate forests. One has Exchange 2010, the second has Exchange 2013 and the third has Exchange 2016. These environments don't have a ... an internal CA. Somebody please help me because I feel like I"m going crazy.

asked Jan 11, 2018 by loliver (120 points)
0 votes
1 answer

Hello! I've just upgraded our installation of Adaxes to 2014.1, and I'm looking forward to utilising the new features, particularly the O365 Cloud management features. However ... switch (will wait for some feedback), would be greatly welcome. Many thanks, Jay

asked Apr 11, 2014 by jaypaterson (90 points)
0 votes
1 answer

We have a client that is using another product for tracking change history and Active Directory auditing. Does Adaxes provide such tracking for Active Directory objects, passwords, etc. ?

asked May 7 by daviddickerson (20 points)
0 votes
1 answer

Hi All, I am looking for a script i can use in adaxes, that removes all delegates for an exchange O365 mailbox, and reset their MFA tokens as well. I ... ($mailbox.Identity)" } } } # Disconnect from Exchange Online Disconnect-ExchangeOnline -Confirm:$false

asked Apr 18 by Brobertson92594 (20 points)
3,589 questions
3,278 answers
8,303 comments
548,148 users