Tenants and Policies

From the Tenants listing, you can select from one of the Tenants which sets the Current Tenant context for the Management UI. All navigation throughout the Management UI will be filtered, as appropriate, for the Current Tenant.

Current Tenant

Navigate to the Tenants listing and select a Tenant by clicking on the pin icon.

../_images/ui-currenttenant-select.png

You will be redirected to the Policies listing with a Current Tenant selection indicated in the UI.

../_images/ui-currenttenant-policylist.png

As you navigate the Management UI with a Current Tenant, there will be limited features available to the tenant, including:

  • You can manage custom Application Roles for a tenant

  • You can manage Permission Assignments for the custom Application Roles

  • You can manage Role Assignments based on Tenant user ID, identity roles or claims

To clear the Current Tenant click the X on the Current Tenant indicator. This will redirect you to the Tenants listing to choose another Tenant.

Tenant Access to System Policies

With the Current Tenant selected, you can select a Policy and view it from the Manage Policy page. You will be able to view the Permissions, Application Roles, and Child Policies but you will not be able to rename or delete them. In addition, you will not be able to create new Permissions, Application Roles, or Child Policies while the Current Tenant is selected. These are system level assets, not associated with a specific tenant. As such, the edit and delete icons will not be visible for those items.

../_images/ui-currenttenant-managepolicy.png

You can select a Permission and navigate to the Manage Permission page. This will show you any Permission Assignments created for the selected Permission at the system level. You will not be able to change this assignment.

../_images/ui-currenttenant-managepermission.png

You can select an Application Role and navigate to the Manage Application Role page with the Current Tenant selected. If there are any Role Assignments created for the Application Role at the system level they will show in this list as read only - that is you cannot rename or delete any assignments. In other cases, as shown for Claims Evaluation Assignments below, there are no assignments at the system level, so the list is empty.

../_images/ui-currenttenant-managerole-permissionslist.png ../_images/ui-currenttenant-managerole-useridlist.png ../_images/ui-currenttenant-managerole-identityrolelist.png ../_images/ui-currenttenant-managerole-claimslist.png

Custom Roles and Permission Assignments

Every Tenant has the ability to create custom Application Roles in order to create new groupings of Permissions for assignment. When managing a Policy for the Current Tenant selection, you can select the Add Role link and create a new Application Role that will be visible only to this Tenant.

../_images/ui-currenttenant-addrolelink.png ../_images/ui-currenttenant-addrole.png

After adding the Application Role you will see it listed in the Manage Policy page. Since the newly added Application Role was created for the Current Tenant, you will be able to rename it, or delete it.

../_images/ui-currenttenant-addrole-complete.png

In addition, you will be able to select a Permission and create a Permission Assignment to this new Application Role.

../_images/ui-currenttenant-addpermissionassignment.png

Tenant Role Assignments

Role Assignments created with a Current Tenant selection allow different tenants to associate potentially different groups of users to Application Roles. As with system level assignments, you can create the following types of assignments unique to each Tenant:

  • Permission assignment

  • User ID assignment

  • Identity Role assignment

  • Claims Evaluation assignment

Tenants permission assignments

In tenant context if the permission is assigned to role, then it can’t be assigned and will disabled and labeled as inherited from base policy

../_images/ui-tenantpermissionassignment.png

If permission is created in base policy but not assigned to role, then a tenant can assign permission to role in tenant context

../_images/ui-tenantpermissionunassigned.png

User ID Assignments

You can add User ID assignments manually by selecting Add User. The expectation is that you would be adding a user that belongs to the Current Tenant identity store.

../_images/ui-currenttenant-systemrole-adduseridassignment.png

You can also choose to Select Users from the User Search feature if it is enabled. In this case, the expectation is that your User Search implementation will filter the users for the Current Tenant.

../_images/ui-currenttenant-systemrole-selectuserid.png

Identity Role Assignments

You can add Identity Role assignments manually by selecting Add Role. The expectation is that you would be adding an identity role name that belongs to the Current Tenant identity store.

../_images/ui-currenttenant-systemrole-addidentityroleassignment.png

You can also choose to Select Roles from the Role Search feature if it is enabled. In this case, the expectation is that your Role Search implementation will filter the identity roles for the Current Tenant.

../_images/ui-currenttenant-systemrole-selectidentityrole.png

Claims Evaluation Assignments

You can add Claims Evaluation assignments by selecting Add Expression. The expectation is that you would be adding an expression that evaluates claims that are relevant to the identity store for the Current Tenant.