Tenant definition and IAM overview¶
MIKE Cloud provides services in a shared multitenant mode. The root isolation and management unit is called tenant or site. Tenant represents security isolation and data ownership boundary. All cloud services are strictly and by design following this isolation boundary.
Tenant (Site)¶
A tenant is very flexible unit and can represent many real world entities
- Customer
- Business division
- Big project
- End user application
- Other Each tenant contains its own project collection, where tenant is a project hierarchy root.
IAM¶
IAM stands for Identity and access management.
Identity¶
IAM supports multiple types of identity.
- User Identity relies on authentication process provided by external identity provider, currently by Azure AD instance.
- System identity is provided in the form of complete API Key management solution.
Access management and authorization¶
Access management is also enforced in multiple levels:
- Authentication of the user
- Validation of the API Key
- Verification of the identity association with the tenant
- License verification for UI applications
- RBAC - role based access control for projects and folders within tenant
All IAM services were designed for the multitenant cloud environment integrated with DHI billing and licensing systems.
Using IAM only as the authentication service without tenancy, projects and RBAC model is not very beneficial, in this case we recommend to use Azure AD directly.
Tenant user access¶
Users can be assigned to multiple tenants. Only valid users registered in External Azure AD are eligible. External Azure AD contains the flat user list for all tenants.
Role based access and projects¶
The projects and folders used for data management and organization within a tenant have built-in role based access control - RBAC Identity principals can be assigned on projects to roles and appropriate access rules are applied.
For more details see Project management
To support on-premise deployments the identity provider must be abstracted.
Billing¶
All billing information is maintained in the financial systems. The tenant is linked to the business system through billing reference.
Cloud platform usage is tracked in consumption log and is always linked to the billing reference. The billing reference must be set on each tenant.
Billing Reference structure¶
- Type (EXT/DHI)
- Reference number(string) - account number in business system
- Tag - customer specific - i.e. Task identifier for DHI projects or Customer department
User Licensing¶
To access cloud services or apps, user must be valid Tenant user. In near future special cloud access license will be required.
Cloud Application licensing¶
To access cloud application there has to be a valid , non-expired license granted for the tenant. This applies to available cloud applications : MeshBuilder, FastWave emulator, DataLink,...
Tenant owner can disable access to licensed application,
Each license has an expiration date .
Contact customer service for more information about licensing.
API access¶
Direct platform api access is not yet covered by special licenses.