Multi-Tenant Guide

Preface

This document describes the multi-tenant feature.

History

Version Date Comments
1.1 2020-01-30 Multi-domain support
1.0 2019-03-05 Creation of the document

Introduction

This document provides a basic overview of multi-tenancy in OVD Enterprise. It outlines the essential aspects to consider when deploying OVD in a multi-tenant configuration.

Overview

Multi-Tenancy is a term used to describe a single instance of a software application or service that delivers services to multiple, distinct sets of customers (typically subdivisions within organizations or other autonomous groups of users). Each distinct group is called a "tenant" in OVD. Multi-tenancy allows managed service providers and distributed IT departments to share resources like servers, databases, storage networks, and other backend services across tenants. At the same time, the tenants are isolated (or siloed) ensuring data privacy.

Inuvika OVD Enterprise is multi-tenant ready right out of the box. It requires no additional packages to purchase or install. Inuvika's intuitive Web-based Administration console also makes set-up remarkably easy. A single click is all it takes to activate multi-tenancy. A few more clicks and you can easily assign backend resources like application servers, storage, and directory services to new tenants. It's multi-tenancy made easy!

Use-Cases

Multi-tenant deployment scenarios can loosely fall into one of two types:

  • Virtual Hosting - Individual tenants use shared resources, but are completely isolated from one another and cannot access each other's data. For example, Organization A and Organization B are two completely unrelated companies.

  • Branch / Multi-Site - Individual tenants use shared resources but do not necessarily need to be isolated from one another. For example, Organization C is a parent company with multiple subdivisions that may (or may not) need complete isolation.

Security Considerations

Security is a primary consideration in a multi-tenant environment. By design, security and tenant isolation are enforced in OVD, but it is still possible to share data between tenants if needed. Therefore, understanding your security options within a multi-tenant OVD environment is critical to addressing the privacy concerns of your tenants.

  • Application Servers can be shared across one or more tenants. As a software service provider, you want to give multiple tenants access to your application servers and leverage them as shared resources.
  • File Servers can be shared across one or more tenants, but dedicated tenant storage points cannot be shared between tenants. For example, user profile and shared folder rights are restricted to users within their respective tenants.
  • All tenants can use a single OVD Web Access server. It directs access to the correct service based on the user login information provided, or the domain name used to reach it.
  • Like the Web Access server, a single OVD Secure Gateway can be used by all tenants with the same rules.
  • Multi-Tenant OVD requires only one administration console for use by all administrators. It adapts its interface according to Global or Sub-Administrator rights assigned to individuals.

Important

Inuvika recommends limiting Application Server and File Server sharing as it can impact tenant isolation if not correctly managed.

Sharing Application Servers across multiple tenants requires advanced security configuration knowledge. If not correctly configured, the server Operating System may let users see other users' presence on the system. While they may not have the ability to access one another's data within a default server configuration, it is easy to enable higher level rights that result in one tenant being able to access select information about another tenant. Such a situation is almost impossible when using two separate servers with proper configuration.

Accidental data sharing using a single File Server for multiple tenants is unlikely to happen. However, for performance reasons and to avoid mistakes, we still recommend using multiple File Servers.

As a general IT best practice in general, having dedicated sub-administrators for tenants is better than using only one Global account. If needed, a dedicated Sub-Administrator can be assigned to manage more than one tenant. They will not, however, be able to change settings that affect tenants not assigned to them.

While they can manage tenants, Global Administrators should only be used to configure global OVD settings, create new tenants and designate new administrators.

Activating and Configuring Multi-Tenancy

Multi-tenancy is already included in OVD Enterprise. There are no additional packages to purchase or install. During a fresh installation, a single default tenant is automatically created, and multi-tenancy is disabled.

Activate Multi-Tenant Mode

To activate Multi-Tenant Mode, as a Global Administrator, go to the "Tenant Administration" tab in the "System" page in the OVD Admin Console. Select "Activate Multi-Tenant Mode".

Create a New Tenant

To create an additional tenant, as a Global Administrator, go to the "Tenant Administration" tab in the "System" page on the OVD Admin Console. Fill in the "Add Tenant" form fields to define a new tenant. Click the "Add this Tenant" button to continue to the next page.

Configuration Options
  • The name and description sections are for display purposes only.
  • The domain field is a unique domain name used by this tenant at login time. For example, we have a user named John in a tenant with the domain example.com. He will use john@example.com as his login to differentiate himself from a second user named John at domain test.net. His login is john@test.net.

In OVD versions 2.8 or greater, it is possible to assign more than one domain to a tenant. For example, we can add example2.com to the current tenant domain list. John will then be able to start a session with john@example2.com and john@example.com.

Only one tenant may exist without an assigned domain at any given time.

On the same page, you can assign application servers to this new tenant:

  • All available application servers are shown under the "List of Servers Available to this Tenant" heading. Assign one or more servers to this tenant by clicking the "Add this Server" button beside the server you wish to assign.

To learn more about application server installation and configuration, refer to the OVD Installation and Configuration Guide

Assigning an External Directory to a Tenant

On the "Users / Domain Integration Settings" tab:

To assign an external Directory service, such as Microsoft Active Directory or LDAP service, as a tenant Administrator, select the directory type from the drop-down menu and fill in the form fields.

Managing Multi-Tenancy

As a dedicated Sub-Administrator (non-Global) you are responsible for managing users, applications, storage and application publications for your tenants.

Assigning Administrators

On the "System / Administrators" tab:

To create a new administrator, ensure you are logged in as a Global Administrator then complete the Login and Password fields to create a new Administrator.

  • The Global Admin checkbox (if selected) makes the new administrator a Global Administrator with the same rights as other Global Administrators.
  • If the checkbox is not selected, a Sub-Administrator is created. It is, however, possible to allow this administrator to manage more than one tenant.

To assign an administrator to a tenant, select the tenant from the drop down list under Tenants Managed by this Administrator and click on Add to this tenant.

Similarly, to unassign an administrator from a tenant, locate the tenant and click on Delete from this tenant.

Administration Console Interface

Activating new tenants modifies the options displayed in the Administration console interface. If you have access to only one tenant, the interface looks like a single OVD installation and can only change settings for that specific tenant.

  • In the top-right menu, you may select individual tenants to manage, or select Global View to see available sessions and reporting for all tenants.

If you have access to multiple tenants, some top-level menu items and links are grayed out. The grayed out options are due to these pages containing individual tenant settings that you may not modify as a group from within Global View. You must first switch your management view to a single tenant before you can make any changes. Use the drop-down menu in the top-right corner to select the tenant you wish to manage. Individual tenant settings include:

  • Users (groups, directory services, etc...)
  • Storage (shared folders and external storage)
  • Session (session preferences, scripts, publications, etc...)

For more information, please refer to the Administration Guide

Special Considerations

Moving from Single to Multi-Tenant Mode

The following applies to environments that are running exclusively in single tenant mode.

If you are running a production OVD server farm in single tenant mode and wish to activate Multi-Tenant mode, be aware of the following:

  • Single tenant environments that have implemented custom administration scripts may experience conflicts when converted into Multi-Tenant mode. You may need to update your scripts if this occurs. Refer to the Session Manager Admin API guide for information on OVD APIs.

  • Pre-existing delegated administrator rights may need to be reassigned to access one or more tenants in a new multi-tenant environment. When initially logged into the Administration Console, the default tenant is automatically assigned.

Domain Name and service access point

In a multi-tenant OVD setup, the administrator sets a unique domain name for each tenant. In OVD versions 2.8 or greater, it is possible to assign more than one domain to each tenant. All users must specify the tenant to which they belong. One way to do it is by adding @domain_name to their login name. For example, user dpaul from tenant my-company will log in as dpaul@my-company.

Another option is to configure the DNS to point the correct name for the OVD Web Access or Admin Console. As in the previous example, assuming the hosting provider has example.com as their domain name, it is possible to open Web Access for tenant my-company with my-company.example.com and use just dpaul as a login. OVD recognizes the right tenant from the domain name.

The easiest way to achieve this is to create a wildcard DNS record. A record *.example.com with the CNAME or A pointing to the Web Access machine.

If a default tenant is set, it will be the fallback option if no other tenant information is present.

Special considerations for Active Directory

When using Active Directory users, the tenant domain must match the AD domain.

This is especially pertinent when using the userPrincipalName form of login.

In OVD versions 2.8 or greater, when Active Directory servers are configured as multi-forest domain, it is possible to add every domain of forests to the same tenant.

Delegating Application Servers to Tenants

As a best practice, usually one Application Server is assigned to only one tenant, rather than shared between tenants. However, OVD allows you to share an Application Server across multiple tenants to consolidate resources.

When sharing the same Application Server across multiple tenants, connected users may find ways to be aware of each other and realize that multiple tenants share the server. They will not, however, be able to access each other's data.

Examples

  • Default Windows and Linux Operating System rules allow users to see other user folders on the server. However, users cannot open the folders or access anything within them.

  • Opening the Windows Task Manager or Linux System Monitor may show another user process that is currently running. Users cannot, however, affect the process in any way.

Steps You Can Take

In the Inuvika OVD Installation Guide, we explain how to lock down and hide user home directory listings at a minimum. However, if it is a requirement that tenants be completely isolated, it is best not to share an Application Server across more than one tenant.

Delegating File Servers to Tenants

Sharing OVD File Servers to multiple tenants is generally not a problem, as users can only access storage units assigned in their profile, or Shared Folders.

Note that having two Shared Folders with the same name for two different tenants will still result in two unique storage units, even when located on the same File Server.

The only way to share files between one or more tenants is to assign a common external data share point using the External Data Storage function.

Example

  • Users in one or more tenants are allowed to map to shared folders on an external network drive.

Deactivating Multi-Tenancy

To deactivate Multi-Tenant Mode, as a Global Administrator, go to the "Tenant Administration" tab in the "System" page in the OVD Admin Console. There should only be a single tenant on this page. If you have more than one tenant, you must delete tenants before you can deactivate multi-tenancy.

Warning

If you delete a tenant from this page, any configuration / settings assigned to this tenant will also be lost.

To deactivate the multi-tenancy once only a single tenant remains, click on Deactivate Multi-Tenant Mode.