Skip to content

Tenant definition and IAM overview

MIKE Cloud provides services in a shared multitenant mode. The root isolation and management unit is called tenant or site. Tenant represents security isolation and data ownership boundary. All cloud services are strictly and by design following this isolation boundary.

Tenant (Site)

A tenant is very flexible unit and can represent many real world entities

  • Customer
  • Business division
  • Big project
  • End user application
  • Other Each tenant contains its own project collection, where tenant is a project hierarchy root.

image.png

IAM

IAM stands for Identity and access management.

Identity

IAM supports mutiple types of identity.

  • User Identity relies on authentication process provided by external identity provider, currently by Azure AD instance.
  • System identity is provided in the form of complete API Key management solution.

Access management and authorization

Access management is also enforced in multiple levels:

  • Authentication of the user
  • Validation of the API Key
  • Verification of the identity association with the tenant
  • License verification for UI applications
  • RBAC - role based access control for projects and folders within tenant

All IAM services were designed for the multitenant cloud environment integrated with DHI billing and licensing systems.

Using IAM only as the authentication service without tenancy, projects and RBAC model is not very beneficial, in this case we recommend to use Azure AD directly.

Tenant user access

Users can be assigned to multiple tenants. Only valid users registered in External Azure AD are eligible. External Azure AD contains the flat user list for all tenants.

Role based access and projects

The projects and folders used for data management and organization within a tenant have built-in role based access control - RBAC Identity principals can be assigned on projects to roles and appropriate access rules are applied.

For more details see Project management

To support on-premise deployments the identity provider must be abstracted.

Billing

All billing information is maintained in the financial systems. The tenant is linked to the business system through billing reference.

Cloud platform usage is tracked in consumption log and is always linked to the billing reference. The billing reference must be set on each tenant.

Billing Reference structure

  • Type (EXT/DHI)
  • Reference number(string) - account number in business system
  • Tag - customer specific - i.e. Task identifier for DHI pojects or Customer department

User Licensing

To access cloud services or apps, user must be valid Tenant user. In near future special cloud access license will be required.

Cloud Application licensing

To access cloud application there has to be a valid , non-expired license granted for the tenant. This applies to available cloud applicaitons : MeshBuilder, FastWave emulator, DataLink,...

Tenant owner can disable access to licensed application, Each license has an expiration date . Contact customer service for more information about licensing.

API access

Direct platform api access is not yet covered by special licenses.