Multi-Tenant Guide¶
Preface¶
This document provides a basic overview of multi-tenancy in OVD Enterprise. It outlines the essential aspects to consider when deploying OVD in a multi-tenant configuration.
Overview¶
Multi-Tenancy is a term used to describe a single instance of a software application or service that delivers services to multiple, distinct sets of customers (typically subdivisions within organizations or other autonomous groups of users). Each distinct group is called a "tenant" in OVD. Multi-tenancy allows managed service providers and distributed IT departments to share resources like servers, databases, storage networks, and other backend services across tenants. At the same time, the tenants are isolated (or siloed) ensuring data privacy.
Inuvika OVD Enterprise is multi-tenant ready right out of the box. It requires no additional packages to purchase or install. Inuvika's intuitive Web-based Administration console also makes set-up remarkably easy. A single click is all it takes to activate multi-tenancy. A few more clicks and you can easily assign backend resources like application servers, storage, and directory services to new tenants. It's multi-tenancy made easy!
Use-Cases¶
Multi-tenant deployment scenarios can loosely fall into one of two types:
-
Virtual Hosting - Individual tenants use shared resources, but are completely isolated from one another and cannot access each other's data. For example, Organization A and Organization B are two completely unrelated companies.
-
Branch / Multi-Site - Individual tenants use shared resources but do not necessarily need to be isolated from one another. For example, Organization C is a parent company with multiple subdivisions that may (or may not) need complete isolation.
Security Considerations¶
Security is a primary consideration in a multi-tenant environment. By design, security and tenant isolation are enforced in OVD, but it is still possible to share data between tenants if needed. Therefore, understanding your security options within a multi-tenant OVD environment is critical to addressing the privacy concerns of your tenants.
- Application Servers can be shared across one or more tenants. As a software service provider, you want to give multiple tenants access to your application servers and leverage them as shared resources.
- File Servers can be shared across one or more tenants, but dedicated tenant storage points cannot be shared between tenants. For example, user profile and shared folder rights are restricted to users within their respective tenants.
- All tenants can use a single OVD Web Access server. It directs access to the correct service based on the user login information provided, or the domain name used to reach it.
- Like the Web Access server, a single OVD Secure Gateway can be used by all tenants with the same rules.
- Multi-Tenant OVD requires only one administration console for use by all administrators. It adapts its interface according to Global or Sub-Administrator rights assigned to individuals.
Important
Inuvika recommends limiting Application Server and File Server sharing as it can impact tenant isolation if not correctly managed.
Sharing Application Servers across multiple tenants requires advanced security configuration knowledge. If not correctly configured, the server Operating System may let users see other users' presence on the system. While they may not have the ability to access one another's data within a default server configuration, it is easy to enable higher level rights that result in one tenant being able to access select information about another tenant. Such a situation is almost impossible when using two separate servers with proper configuration.
Accidental data sharing using a single File Server for multiple tenants is unlikely to happen. However, for performance reasons and to avoid mistakes, we still recommend using multiple File Servers.
As a general IT best practice in general, having dedicated sub-administrators for tenants is better than using only one Global account. If needed, a dedicated Sub-Administrator can be assigned to manage more than one tenant. They will not, however, be able to change settings that affect tenants not assigned to them.
While they can manage tenants, Global Administrators should only be used to configure global OVD settings, create new tenants and designate new administrators.
Activating and Configuring Multi-Tenancy¶
Multi-tenancy is already included in OVD Enterprise. There are no additional packages to purchase or install. During a fresh installation, a single default tenant is automatically created, and multi-tenancy is disabled.
Activate Multi-Tenant Mode¶
To activate Multi-Tenant Mode, as a Global Administrator, go to the "Tenant Administration" tab in the "System" page in the OVD Admin Console. Select "Activate Multi-Tenant Mode".
Create a New Tenant¶
To create an additional tenant, as a Global Administrator, go to the "Tenant Administration" tab in the "System" page on the OVD Admin Console. Fill in the "Add Tenant" form fields to define a new tenant. Click the "Add this Tenant" button to continue to the next page.
Configuration Options¶
- The
name
anddescription
sections are for display purposes only. - The
domain
field is a unique domain name used by this tenant at login time. For example, we have a user namedJohn
in a tenant with the domainexample.com
. He will usejohn@example.com
as his login to differentiate himself from a second user namedJohn
at domaintest.net
. His login isjohn@test.net
.
It is possible to assign more than one domain to a tenant.
For example, we can add example2.com
to the current tenant domain list.
John
will then be able to start a session with john@example2.com
and
john@example.com
.
Only one tenant may exist without an assigned domain at any given time.
On the same page, you can assign application servers to this new tenant:
- All available application servers are shown under the "List of Servers Available to this Tenant" heading. Assign one or more servers to this tenant by clicking the "Add this Server" button beside the server you wish to assign.
To learn more about application server installation and configuration, refer to the OVD Installation and Configuration Guide
Assigning an External Directory to a Tenant¶
On the "Users / Domain Integration Settings" tab:
To assign an external Directory service, such as Microsoft Active Directory or LDAP service, as a tenant Administrator, select the directory type from the drop-down menu and fill in the form fields.
Managing Multi-Tenancy¶
As a dedicated Sub-Administrator (non-Global) you are responsible for managing users, applications, storage and application publications for your tenants.
Assigning Administrators¶
On the "System / Administrators" tab:
To create a new administrator, ensure you are logged in as a Global Administrator then complete
the Login
and Password
fields to create a new Administrator.
- The
Global Admin
checkbox (if selected) makes the new administrator a Global Administrator with the same rights as other Global Administrators. - If the checkbox is not selected, a Sub-Administrator is created. It is, however, possible to allow this administrator to manage more than one tenant.
To assign an administrator to a tenant, select the tenant from the drop down list
under Tenants Managed by this Administrator
and click on Add to this tenant
.
Similarly, to unassign an administrator from a tenant, locate the tenant
and click on Delete from this tenant
.
Administration Console Interface¶
Most settings in the Administration Console are tenant-specific, except for those involving multiple tenants (e.g., Servers or Active Session pages). You can switch tenants via the menu in the top-right corner.
For more information, please refer to the Administration Guide
Special Considerations¶
Moving from Single to Multi-Tenant Mode¶
The following applies to environments that are running exclusively in single tenant mode.
If you are running a production OVD server farm in single tenant mode and wish to activate Multi-Tenant mode, be aware of the following:
-
Single tenant environments that have implemented custom administration scripts may experience conflicts when converted into Multi-Tenant mode. You may need to update your scripts if this occurs. Refer to the Administration API Guide for information on OVD APIs.
-
Pre-existing delegated administrator rights may need to be reassigned to access one or more tenants in a new multi-tenant environment. When initially logged into the Administration Console, the default tenant is automatically assigned.
Domain Name and service access point¶
In a multi-tenant OVD setup, the administrator sets one or multiple unique
domain name for each tenant.
All users must specify the tenant to which they belong. One way to do it is by adding
@domain_name
to their login name. For example, user dpaul
from tenant my-company
will
log in as dpaul@my-company
.
Another option is to configure the DNS to point the correct name for the OVD Web Access or
Admin Console. As in the previous example, assuming the hosting provider has example.com
as
their domain name, it is possible to open Web Access for tenant my-company
with
my-company.example.com
and use just dpaul
as a login. OVD recognizes the right tenant from
the domain name.
The easiest way to achieve this is to create a wildcard DNS record. A record *.example.com
with the CNAME
or A
pointing to the Web Access machine.
If a default tenant is set, it will be the fallback option if no other tenant information is present.
Warning
In order to communicate Service Notices to users of a specific tenant, please ensure each tenant connects to OVD through a unique access point. Display of Service Notices depends on each unique tenant access URL.
This means every domain's users should have a unique address/FQDN they use
to access OVD. For example, user1@testdomain.org
and
user1@testdomainTWO.org
do not use the same address to access OVD.
Instead, testdomain.org
and testdomainTWO.org
, have different access
points for their respective users.
Special considerations for Active Directory¶
When using Active Directory users, the administrator will want to define every domain of forests (both UPN suffix and Netbios) to the tenant.
This is especially pertinent when using the userPrincipalName form of login and/or when having a multi-forest domain,
Delegating Application Servers to Tenants¶
As a best practice, usually one Application Server is assigned to only one tenant, rather than shared between tenants. However, OVD allows you to share an Application Server across multiple tenants to consolidate resources.
When sharing the same Application Server across multiple tenants, connected users may find ways to be aware of each other and realize that multiple tenants share the server. They will not, however, be able to access each other's data.
Examples¶
-
Default Windows and Linux Operating System rules allow users to see other user folders on the server. However, users cannot open the folders or access anything within them.
-
Opening the Windows Task Manager or Linux System Monitor may show another user process that is currently running. Users cannot, however, affect the process in any way.
Steps You Can Take¶
In the Inuvika OVD Installation Guide, we explain how to lock down and hide user home directory listings at a minimum. However, if it is a requirement that tenants be completely isolated, it is best not to share an Application Server across more than one tenant.
Delegating File Servers to Tenants¶
Sharing OVD File Servers to multiple tenants is generally not a problem, as users can only access storage units assigned in their profile, or Shared Folders.
Note that having two Shared Folders with the same name for two different tenants will still result in two unique storage units, even when located on the same File Server.
The only way to share files between one or more tenants is to assign a common external data share point using the External Data Storage function.
Example¶
- Users in one or more tenants are allowed to map to shared folders on an external network drive.
Deactivating Multi-Tenancy¶
To deactivate Multi-Tenant Mode, as a Global Administrator, go to the "Tenant Administration" tab in the "System" page in the OVD Admin Console. There should only be a single tenant on this page. If you have more than one tenant, you must delete tenants before you can deactivate multi-tenancy.
Warning
If you delete a tenant from this page, any configuration / settings assigned to this tenant will also be lost.
To deactivate the multi-tenancy once only a single tenant remains, click on Deactivate Multi-Tenant Mode
.